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Abstract 


This  report  is  a  tutorial  for  the  State  Delta  Verification  System  (SDVS),  an  automated 
system  developed  at  The  Aerospace  Corporation  for  use  in  formal  computer  verification. 
SDVS  helps  users  write  and  check  mathematical  proofs  of  computer  correctness  at  the  hard¬ 
ware,  firmware,  and  software  levels.  Currently,  SDVS  is  capable  of  verifying  properties  of 
computer  descriptions  or  programs  written  in  three  computer  languages.  These  languages 
are  subsets  of  the  hardware  description  languages  VHDL  and  ISPS,  and  of  the  Ada  pro¬ 
gramming  language.  In  addition,  SDVS  may  be  used  to  verify  the  validity  of  a  large  class  of 
formulas  of  first-order  temporal  logic.  This  tutorial  contains  a  description  of  most,  but  not 
aU,  of  the  proof  capabilities  of  SDVS.  (The  SDVS  13  Users^  Manual  [1]  should  be  consulted 
for  a  more  comprehensive  account.)  The  tutorial  description  is  embedded  in  numerous 
examples  of  proofs  in  SDVS. 
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1  Introduction 


The  purpose  of  this  tutorial  is  to  introduce  the  reader,  via  examples,  to  the  State  Delta 
Verification  System  (SDVS),  an  automated  system  developed  at  The  Aerospace  Corporation 
for  use  in  formal  computer  verification.^ 

SDVS  is  a  prototype^  of  a  production-quality  verification  system  that  may  be  used  to  for¬ 
mally  verify  software  from  the  microcode  level  to  high-level  applications  programs,  and 
hardware  from  the  gate-level  to  high-level  architecture.  This  prototype  is  based  on  a  formal 
theoretical  framework  [2]  and  has  a  practical,  interactive  system  for  constructing  mathe¬ 
matical  proofs  [1].  The  software  level  of  SDVS  supports  Ada  [3]  programs,  the  microcode 
level  supports  either  ISPS  [4]  or  VHDL  [5]  hardware  descriptions,  and  the  hardware  level 
supports  VHDL  hardware  descriptions.  SDVS  has  language  translators  for  subsets  of  Ada, 
VHDL,  and  ISPS  that  automatically  translate  a  program  written  in  one  of  these  subsets  to 
an  SDVS  formula  (see  Section  7). 

Currently,  the  most  advanced  language  translator  in  SDVS  is  the  Ada  translator.  It  handles 
a  subset  of  Ada  that  is  roughly  equivalent  to  Pascal  without  reals  but  with  packages. 
The  most  extensive  application  of  SDVS  to  Ada  verification  has  been  the  verification  of  a 
modified  portion  of  the  Midcourse  Space  Experiment  (MSX)  tracking  processor  software, 
which  builds  messages  from  sequences  of  commands.  This  portion  of  the  software  consisted 
of  about  800  lines  of  code  [6]. 

The  SDVS  VHDL  translator  incorporates  an  extensive  subset  of  VHDL,  admitting  both 
behavioral  (algorithmic,  or  register-transfer)  and  structural  (component  hierarchy)  speci¬ 
fications  of  digital  systems.  A  number  of  example  VHDL  descriptions  have  been  proved 
correct  (e.g.  adders,  multipliers,  multiplexers),  and  a  substantial  “real-world”  application 
involving  a  commercial  receiver/ transmitter  chipset  is  currently  in  progress. 

In  Section  2  of  this  tutorial,  we  present  a  brief  overview  of  SDVS  and  its  temporal  logic. 
We  define  the  central  concept  of  SDVS,  the  state  delta,  and  provide  several  examples  that 
illustrate  its  syntax  and  semantics. 

Sections  3  and  6  are  the  heart  of  the  tutorial.  The  former  is  devoted  to  the  most  important 
dynamic  proof  commands  of  SDVS  and  the  latter  to  the  static  proof  commands. 

The  SDVS  integer,  bitstring,  and  array  data  types  are  discussed  in  Section  4,  Other  types 
are  presented  in  Section  7.2. 

In  Section  5  we  discuss  the  use  of  quantification  in  SDVS  and  prove  a  state  delta  that 
contains  existential  and  universal  quantification  over  array  indices. 

In  Section  7  we  build  on  the  previous  sections  and  present  proofs  of  correctness  of  Ada, 
VHDL,  and  ISPS  programs. 


^For  a  more  detailed  account  of  SDVS,  the  reader  should  refer  to  the  SDVS  13  User^s  Manual  [l]. 
^The  work  on  SDVS  is  ongoing. 
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2  An  Overview  of  SDVS 


The  formal  framework  of  SDVS  relies  on  the  language  and  techniques  of  mathematical  logic. 
SDVS  is  based  on  a  specialized  temporal  logic  whose  characteristic  formulas,  called  state 
deltas^  provide  an  operational  semantic  representation  of  computation.  Our  operational 
model  is  discussed  in  more  detail  in  the  next  section.  Technically,  SDVS  checks  proofs 
of  state  deltas.  SDVS  can  handle  proofs  of  claims  of  the  form  ‘^if  P  is  true  now,  then  Q 
will  become  true  in  the  future,”  Assuming  P  represents  a  program  (perhaps  with  some 
initial  assertions)  and  Q  is  an  output  assertion,  this  is  an  input-output  assertion  about  P. 
SDVS  can  be  used  as  well  to  prove  a  claim  of  the  form  “if  P  is  true  now,  then  Q  is  true 
now;”  assuming  both  P  and  Q  represent  programs,  this  claim  asserts  the  implementation 
correctness  of  P  with  respect  to  Q  [7],  This  is  a  claim  that  one  program  correctly  implements 
another.  Specifications  of  programs  may  be  directly  formulated  in  state  deltas,  or  may  be 
programs  that  can  be  translated  into  state  deltas. 


User  SDVS 


yes/no 


Figure  1:  SDVS  User  Interaction 

Figure  1  gives  a  high-level  view  of  how  a  user  typically  interacts  with  SDVS. 

SDVS  has  a  theorem  prover  (also  referred  to  as  a  proof  checker),  knowledge  about  several 
computer  domains  (data  types),  and  a  set  of  translators.  A  user  inputs  either  an  Ada, 
VHDL,  or  ISPS  program  together  with  a  specification  for  that  program.  Then  the  user 
interacts  with  SDVS  to  construct  a  proof  that  the  program  satisfies  the  specification.  A 
proof  may  be  developed  interactively  and  then  later  executed  in  batch  mode. 
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Figure  2:  A  Timeline 


The  user  communicates  with  SDVS  through  several  languages.  The  user  interface  language 
is  used  for  interactive  proof  construction.  The  proof  language  is  used  to  write  a  proof  for 
the  system  to  check.  The  state  delta  language  is  used  to  express  claims  to  be  proven  and 
to  describe  the  relevant  programs  and  specifications.  Finally,  the  application  languages 
(currently,  subsets  of  ISPS,  VHDL,  and  Ada)  are  used  to  express  the  computational  objects 
to  be  verified.  The  translators  function  as  SDVS’s  interface  to  application  languages  by 
translating  them  into  the  state  delta  language;  the  translator  for  each  application  language 
is  an  implementation  of  a  denotational  semantics  for  the  language  in  terms  of  state  deltas. 

SDVS  has  knowledge  about  domains  used  in  the  programs.  A  main  component  of  the 
theorem  prover  is  the  SDVS  Simplifier,  which  implements  these  dom<dns  zis  theories  with 
complete  or  partial  decision  procedures  (or  solvers)  [8].  The  decision  procedures  are  used  to 
deduce  properties  about  domain  objects.  The  complete  decision  procedures  automatically 
answer  queries  about  propositions,  equality,  enumeration  orderings,  fragments  of  naive  set 
theory,  and  part  of  integer  arithmetic.  The  partial  decision  procedures  are  part  automatic 
and  part  manual,  with  the  user  instructing  the  system  to  use  various  axioms  to  deduce 
properties.  The  domain  axiomatization  is  “hardwired”  in  SDVS,  although  we  are  currently 
experimenting  with  a  facility  for  user-defined  domains  [9]  that  is  based  on  the  Boyer-Moore 
theorem  prover  [10].  Domains  for  which  there  are  partial  solvers  include  integer  arithmetic, 
bitstrings,  arrays,  VHDL  time,  and  VHDL  waveforms.  The  Simplifier  handles  combinations 
of  theories  according  to  the  Nelson- Oppen  algorithm  for  cooperating  decision  procedures 
[11]. 

2.1  The  Operational  Nature  of  SDVS 

SDVS  provides  an  operational  approach  to  formal  verification.  Operational  verification 
systems  equate  a  program  with  the  cla.ss  of  all  possible  computation  sequences^  (executions) 
of  that  program;  a  verification  system  is  used  to  show  that  a  program  is  correct  for  all 
possible  computation  sequences.  In  SDVS  a  computation  sequence  is  a  model  of  a  formula  in 
the  language  of  a  temporal  logic.  Thus,  correctness  properties  of  programs  can  be  expressed 
and  proved  in  a  temporal  logic  framework;  a  proof  of  program  correctness  is  a  mathematical 
proof  of  a  temporal  formula. 

Every  program  written  in  a  computer  language  accepted  by  SDVS  describes  a  class  of 
temporal  structures  that  are  possible  executions  of  the  program.  For  a  program  P  with 
program  variables  (or  registers)  x,  y,  and  z,  and  for  a  set  of  initial  values  (fixed  or  symbolic) 
for  these  variables,  a  possible  execution  of  P  generates  a  linear  sequence  of  times  to,  ..,  U, 

^  A  computational  sequence  of  a  program  is  a  temporal  structure  that  is  a  model  of  the  program.  Temporal 
structures  and  models  are  defined  in  Section  2.2.2. 
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<^0,  y{io),  -^ter7ninatedp{to)>, 

...,  <ty  x{t),  2/(i),  z{t)yterminatedp{t)> 
where  x(to)  =  2,  y{to)  =  3,  z{to)  =  zq,  x{t)  =  2,  y{t)  =  3,  z{t)  =  5 


Figure  3:  A  Model  of  P 

tj^  where  is  the  initial  time.  We  call  this  sequence  a  timeline;  it  is  illustrated  in 
Figure  2.  In  our  terminology,  time  is  an  abstraction  that  indexes  the  states  of  an  execution; 
it  is  not  to  be  confused  with  the  ticks  of  a  clock.  At  each  time  t,  the  program  variables  have 
fixed  or  symbolic  values.  For  a  variable  x,  let  x{t)  denote  its  value  at  time  t.  A  state  is  an 
ordered  set  consisting  of  a  point  of  time  t  in  the  timeline  of  the  execution  of  the  program, 
followed  by  the  values  of  the  program  variables  at  time  t.  For  example,  <t^x{t)yy{t)^z{t)> 
represents  the  state  at  time  t  for  an  execution  of  the  program  P.  A  model  of  P  is  a  sequence 
of  states  representing  a  possible  execution  of  P. 

Assertions  about  the  program  P  are,  in  effect,  assertions  about  the  models  of  P.  For 
example,  if  program  P  calculates  the  sum  of  x  and  y  and  stores  the  result  in  z^  then  a 
correctness  assertion  about  P  is  that  ‘‘for  every  pair  of  initial  values  of  x  and  y^  P  terminates 
and,  upon  termination,  the  value  of  z  is  the  sum  of  the  initial  values  of  x  and  i/.”  This  may 
be  stated  by  the  formula  qi : 

qi  =  3t(z{t)  =  x(to)  +  y(to)  A  terminated p{t)) 

where  x(to)  3,nd  y{to)  are  symbolic  values,  and  where  terminatedp  is  false  until  P  ter¬ 
minates,  at  which  time  it  becomes  true.  The  formula  qi  is  true  in  every  model  M  of  P. 
Figure  3  shows  an  example  of  a  model  of  P. 

Just  as  assertions  about  a  program  P  are  assertions  about  all  the  models  of  P,  proofs  about 
P  are  proofs  about  all  the  models  of  P.  In  SDVS,  when  one  writes  a  correctness  proof 
about  a  program,  the  program  is  first  translated  into  SDVS’s  temporal  language,  and  then 
the  proof  is  performed  in  that  language,  using  the  logic  of  SDVS.  We  use  tr{P)  to  denote 
such  a  translation  of  a  program  P.  The  translation  process  is  akin  to  compilation,  in  that 
the  program  is  “compiled”  into  a  temporal  logic  formrda. 

For  our  example  program  P  with  its  specification  qi ,  a  proof  that  P  is  correct  with  respect 
to  qi  is  a  proof  that  the  formula  ^r(P)  q2  (where  q2  is  a  translation  of  q\  into  a  temporal 
formula)  is  a  valid  formula  of  temporal  logic  and  hence  is  true  in  all  temporal  structures. 


2*2  The  State  Delta  Language 

Statements  involving  time  can  be  expressed  in  temporal  languages  and  proved  in  tempo¬ 
ral  logics.  Temporal  languages  have  symbols,  called  temporal  operators^  that  are  used  to 
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express  such  statements.  The  only  temporal  operator  of  SDVS  is  the  state  delta.^  It  is 
a  combination  of  the  classical  temporal  operators  always,  eventually,  and  fragments  of 
until.  In  this  section  we  briefly  discuss  its  syntax  and  semantics. 


2.2.1  Syntajc 

The  language  L  of  SDVS  contains  function,  predicate,  and  constant  symbols  and  two  types 
of  variables,  global  and  local.^  The  values  of  the  global  variables  are  constant  throughout 
a  timeline  (computation),  whereas  the  values  of  the  local  variables  vary  with  time.  The 
atomic  terms  are  either  constants  (e.g.  0  and  1),  global  variables,  or  of  the  form  .x  or 
where  x  ranges  over  the  local  variables. 

In  a  manner  analogous  to  that  for  the  predicate  calculus,  terms  and  atomic  formulas  are 
defined  from  the  atomic  terms,  the  function  symbols  (e.g.  +  and  *),  and  the  predicate 
symbols  (e.g.  gt  and  /e).  For  example,  2  *  {jj^x  —  .j^  +  a)  is  a  term  with  local  variables  x  and 
y  and  global  variable  a,  and  2  *  {^x  —  .t/  +  a)  =  is  an  atomic  formula. 

The  set  of  formulas  of  SDVS  is  defined  to  be  the  smallest  set  that  contains  the  atomic 
formulas  and  that  is  closed  under  conjunction  (^‘and”),  disjunction  (‘^or”),  negation  (^^not”), 
implication  (‘implies”),  universal  quantification  over  global  variables  (“foraU  a”),  existential 
quantification  over  global  variables  (“exists  a”),  and  the  state  delta  operator 

[sd  pre:  p  comod:  c  mod:  m  post:  q] 

where  (1)  the  precondition  p  is  a  formula  with  the  property  that  for  every  local  variable  x, 
every  occurrence  of  ^x  in  p  is  an  occurrence  in  either  the  precondition  or  postcondition  of  a 
state  delta  subformula  of  p;  (2)  the  postcondition  g  is  a  formula;  and  (3)  the  comodification 
list  c  and  modification  list  m  are  lists  of  local  variables. 

For  every  local  variable  x  and  formula  </>,  an  occurrence  of  .x  (#x)  in  4>  is  an  upper  level 
occurrence  if  and  only  if  the  occurrence  is  not  in  the  precondition  or  postcondition  of  a  state 
delta  subformula  of  A  formula  4>  is  of  precondition  type  iff  for  every  local  variable  x,  (j> 
has  no  upper-level  occurrences  of  ^x.  A  precondition  type  formula  is  static  (nontemporal) 
if  and  only  if  it  has  no  state  delta  subformulas.  Here  are  some  examples: 

(i)  The  first  occurrence  of  ^j^x  in  the  formula 

#x  le  2*.y  and  [sd  pre:  true  comod:  x,y  mod:  x  post:  #x=.x+l] 

is  an  upper-level  occurrence,  whereas  the  second  occurrence  is  not.  This  formula  is 
not  a  precondition  type  formula. 

(ii)  The  formula 

^  State  deltas  were  first  introduced  in  [12]. 

^Global  and  local  vairiables  may  be  constrained  to  range  over  specific  SDVS  data  types  (see  Section  4). 
By  default,  they  are  usually  of  type  integer. 
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.X  le  2*«y  implies  [sd  pre:  ,x  It  .y  comod:  x  mod:  z  post:  #x=l] 


is  of  precondition  type  but  is  not  static, 
(iii)  The  formula 

exists  a  (.x+,y  =  5  and  a  ge  3) 
is  a  static  formula. 


2.2.2  Semantics 

A  temporal  structure  M  consists  of  a  first-order  base  structure  (e.g.  the  integers),  a  timeline 
T,  and  a  valuation  V,  such  that 

(i)  V  assigns  a  function,  predicate,  and  element  of  the  base  structure  to  every  function, 
predicate,  and  constant  symbol  of  the  language,  respectively. 

(ii)  To  every  global  variable  a,  V  assigns  an  element,  V"(a),  of  the  base  structure. 

(iii)  For  every  local  variable  x  and  every  time  t  of  the  timeline  T,  V  assigns  an  element  of 
the  base  structure,  V{.x^t)  [or  simply  a:(t)],  to  the  atomic  term  .x  at  time  t. 

Let  t  be  an  element  of  T.  Then  for  every  term  r  in  which  #  does  not  occur,  V  assigns 
an  element  of  the  base  structure,  y(r,  t),  to  the  term  r  at  time  t.  Furthermore,  for  every 
static  precondition  formula  <^,  V  assigns  a  truth  value  to  </>,  F(^,t),  at  time  t,  in  a  manner 
analogous  to  that  for  the  predicate  calculus. 

For  example,  if  V{a)  =  2,  V{.x^i)  =  —1,  and  =  4,  then 

V{{.y  =  3  *  a  +  2  +  .x),t))  =  true 


and 

V{3  b  (b  —  a  and  .y  —  3  ^  b  +  2  ^  ,x)^t)  =  true 

We  proceed  to  define  V(^,t)  for  every  precondition  formula  (j)  and  every  t  in  T.  The 
definition  is  by  induction  on  the  complexity  of  <j). 

Boolean  operators  and  quantification  over  global  variables  are  treated  in  the  standard  way. 
Suppose  that  (j>  is  the  state  delta  formula 

[sd  pre:  p  comod:  c  mod:  m  post:  q] 

and  that  .ri, . . . ,  ,Xn  and  #yi, . . . #yk  a-re  the  upper-level  (local)  atomic  terms  of  g. 
Then  <f>  is  true  at  time  t  if  and  only  if  for  every  h  >t  such  that  every  local  variable  in  c  is 
constant  in  the  closed  time  interval  and  such  that  p  is  true  at  time  fi,  then  there  is  a 
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Figure  4:  A  Temporal  Structure  M 


time  t2  >  h  such  that  every  local  variable  not  in  m  is  constant  in  the  closed  time  interval 
[ti,t2]  such  that 


q[V{.Xi,ti)/ .Xi, . . .  .Xn  ;  -Vi  /  #yi,  ■  ■  ■ , -Vk/ ^Vk] 

is  true  at  time  ^2-  The  substitution  of  the  value  of  the  Xi^s  at  time  for  the  .x^’s  is  made 
prior  to  the  substitution  of  the  .yj^s  for  the  in  q.  In  effect,  the  upper-level  atomic 

terms  of  q  are  evaluated  at  time  ti  if  they  are  of  the  form  .x,  and  at  time  t2  if  they  are  of 
the  form 

In  the  definition  of  the  truth  of  the  state  delta  <^,  a  time  with  the  properties  of  ti  described 
above  is  said  to  be  a  “precondition  time”  of  the  state  delta  (with  respect  to  the  “current” 
time  t  at  which  it  is  evaluated),  and  a  time  with  the  properties  of  is  said  to  be  a  “postcon¬ 
dition  time”  of  the  state  delta  (with  respect  to  ti).  A  modification  or  comodification  list  of 
“all”  is  an  abbreviation  for  the  list  (set)  of  all  local  variables  of  the  language,  (modification) 
list  of  a  state  delta  is  (modification)  field  delta.  If  the  comodification  list  of  the  state  delta  (p 
is  “aU,”  then  every  precondition  time  is,  in  effect,  the  same  as  the  current  time,^  i.e.,  ti  =  t. 
Similarly,  if  the  modification  list  of  the  state  delta  is  empty,  then  every  postcondition  time 
of  the  state  delta  is,  in  eflFect,  equal  to  its  corresponding  precondition  time,  i.e.  ti  =  t2- 

Evidently,  the  state  delta  operator  is  complex.  A  few  examples  should  clarify  its  semantics. 
Suppose  that  x,  y,  s,  and  i  are  the  only  local  variables  of  the  language,  a  and  b  are  global 
variables,  and  the  base  first-order  structure  is  the  set  of  integers  with  functions  “+”, 

“*”  and  predicates  “le”,  and  “It”. 

Figure  4  depicts  a  temporal  structure  M  with  five  points  in  its  timeline.  The  ba^se  structure 
is  the  set  of  integers  with  the  usual  functions  and  predicates.  The  numbers  in  each  column 
are  the  values  of  the  local  variables  at  each  point  of  the  timeline. 

The  discussion  that  follows  refers  to  the  structure  M  and  to  its  timeline. 

®  An  important  fact  about  every  precondition  formula  cr  of  SDVS  is  that  for  every  temporal  structure,  if 
t  <ti  are  elements  of  the  timeline  of  the  structure  such  that  every  local  variable  of  the  language  is  constant 
in  the  time  interval  then  the  truth  value  of  (T  is  constant  in  [t,ti]. 
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(i)  The  static  formula  A  +  .y  +  .x  =  s  +  3  is  true  at 

(ii)  A  state  delta  with  comodification  and  modification  lists  of  “all”  and  precondition 
“true”,  asserts  that  there  is  a  time  in  the  future  (possibly  now)  such  that  the  post¬ 
condition  is  true.  For  example,  the  state  delta 

[sd  pre:  true  comod:  all  mod:  all  post:  #i=l] 

is  true  at  to  2tnd  ti  and  false  at  all  other  times. 

(iii)  The  state  delta 

[sd  pre:  true  comod:  all  mod:  s,i  post:  #s=.s+l  and  #i=.i+l] 

is  true  at  times  to?  ^ind  t2,  but  false  at  all  other  times.  The  comodification  list  “all” 
denotes  the  list  of  all  local  variables.  At  any  particular  time  r  in  the  timeline  of  a 
temporal  structure,  this  state  delta  is  true  iff  there  is  a  time  t>r  such  that  only  s  and 
i  may  change  their  value  in  the  closed  time  interval  [r,i]  and  s(t)  =  ^(r)  +  1  A  i{t)  = 
i(r)  +  1. 

(iv)  The  state  delta 

[sd  pre:  true  comod:  all  mod:  x,y  post:  #y=.x  and  #x=.y] 

is  true  at  ts  but  false  at  aU  other  times. 

(v)  A  state  delta  with  a  comodification  list  of  “all”  and  an  empty  modification  list  asserts 

that  the  precondition  implies  the  postcondition  at  the  current  time.  The  reason  for 

this  is  that  any  precondition  time  is,  in  effect,  equal  to  the  current  time,  and  any 

postcondition  time  is,  in  effect,  equal  to  the  corresponding  precondition  time.  Thus 
the  state  delta 

[sd  pre:  .i=0  comod:  all  mod:  post:  #s=5] 

is  true  at  time  to-  In  fact,  it  is  true  at  all  other  times  as  well,  because  its  precondition 
is  false  at  every  other  time. 

(vi)  A  state  delta  with  empty  comodification  and  modification  lists  asserts  that  at  every 
time  t  in  the  future,  the  precondition  at  time  t  implies  the  postcondition  at  time  t. 
For  example,  the  state  delta 

[sd  pre:  true  comod:  mod:  post:  #i  ge  1] 

is  true  at  time  ti ,  since  the  value  of  i  is  greater  than  or  equal  to  1  at  ti  and  thereafter. 
However,  it  is  false  at  to- 

(vii)  The  state  delta 
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[sd  pre:  .i  It  .y 
comod:  x,y 
mod :  s , i 

post;  #s=.s+l  and  #i=.i+l] 

is  true  at  to-  The  precondition  tinoies  with  respect  to  the  current  time  to?  ^^e  to,  ti, 
and  t2;  for  these  precondition  times  the  corresponding  postcondition  times  are  ti,  t2, 
and  t3,  respectively.  Note  that  and  t4  are  not  precondition  times  with  respect  to 
to,  because  the  precondition  is  false  at  the  former  time,  and  the  comodihcation  list  is 
violated  in  the  latter  time  (y  is  not  constant  in  the  interval  [to,t4]).  This  state  delta 
is  also  true  at  ti  and  t2.  It  is  true  at  by  default,  because  of  its  comodification  list 
and  the  fact  that  its  precondition  is  false  at  ^3,  and  it  is  false  at  ^4. 

(viii)  The  “nested”  state  delta 

[sd  pre:  true 
comod:  all 
mod:  i,s 

post:  #i=.i4l  and  #s=.s+l  and 
[sd  pre:  true 
comod :  all 
mod :  i , s 

post:  #i=.i+l  and  #s=.s+l]] 

is  true  at  to  and  ti,  but  false  at  all  other  times.  It  is  not  true  at  ^2  because  the  state 
delta  in  its  postcondition  is  false  at 

A  precondition  formula  is  valid  with  respect  to  the  first-order  structure  A  iff  it  is  true  at 
the  initial  point  of  every  temporal  structure  M  whose  first-order  base  structure  is  A.  For 
example,  if  the  base  structure  A  is  the  set  of  integers,  then  the  state  deltas 

[sd  pre:  .x=l  and 

[sd  pre:  true  comod:  all  mod:  y  post;  #y  =.x+5] 
comod :  all 
mod:  y 
post:  #y=6] 

and 

[sd  pre:  .x=a  and  ,y=b  and 
[sd  pre :  true 
comod:  all 
mod:  x,y 

post:  #x=.y  and  #y=.x] 

comod:  all 
mod:  x,y 

post:  #x=b  and  #y=a3 
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are  valid  with  respect  to  A. 

In  SDVS  the  only  formulas  that  may  be  proved  (valid)  are  the  state  deltas.  But  this  is  not 
an  important  limitation  of  the  system,  because  for  any  precondition  formula  5,  the  state 
delta 

[sd  pre:  true  comod:  all  mod:  post:  S] 

is  valid  iflf  S  is  valid. 


2.3  Model  of  Storage 

Although  we  have  used  the  local  variables  (places  in  SDVS  terminology)  as  if  they  were 
independent  of  each  other  (so  that,  for  example,  a  change  of  one  does  not  affect  the  other), 
places  were  historically  considered  to  be  memory  locations  that  could  possibly  overlap.  Thus 
in  situations  in  which  they  are  considered  to  be  independent,  SDVS  must  be  explicitly 
informed  of  that  fact.  Thus,  for  the  above  examples  it  would  be  necessary  to  add  the 
statement  “covering(all,x,y4,s)”  in  the  precondition  of  every  upper-level  state  delta.  This 
statement  asserts  that  the  local  variables  x,  y,  z,  and  s  are  independent  of  each  other  and 
that  they  comprise  the  set  of  all  local  variables.  The  discussion  of  ISPS  (Section  7.3)  wiU 
describe  the  possible  overlap  of  places  in  greater  detail. 


2.4  Proofs  in  SDVS 

A  proof  is  a  structured  argument,  using  mathematical  logic,  that  a  formula  is  true.  The 
state  delta  language  is  used  to  write  theorems  (formulas)  to  be  proved.  Using  the  proof 
language  in  SDVS,  the  user  has  access  to  axioms  and  rules  with  which  to  write  interactively 
a  proof  that  the  system  checks.  If  a  state  delta  is  proved  in  SDVS,  then  it  is  true  in  all 
temporal  structures  (computational  models)  with  the  appropriate  base  structure. 

The  underlying  proof  method  used  by  SDVS  is  symbolic  execution.  Symbolic  execution 
essentially  involves  executing  a  program  or  machine  description  from  its  initial  state  through 
successive  states,  using  symbolic  values  for  the  program  variables  or  for  the  contents  of 
machine  registers.  Of  course,  the  computation  path  is  often  conditional  on  specific  values; 
in  these  instances  subproofs  must  be  initiated  to  account  for  all  possibilities.  The  correctness 
claims  that  are  proved  are  all  of  the  form  “At  certain  states  some  conditions  are  true.”  Thus, 
during  a  proof  there  are  two  kinds  of  tasks:  to  go  from  state  to  state,  and  to  prove  that 
certain  things  are  true  in  a  given  state.  These  are  the  dynamic  and  static  aspects  of  the 
proof  system,  respectively. 

The  dynamic  proof  language  has  three  basic  rules:  straight-line  symbolic  execution  (for 
instances  where  the  path  is  not  data  dependent),  proof  by  cases  (at  branch  points),  and 
induction  (necessary  when  the  number  of  times  through  a  loop  is  data  dependent,  but  could 
also  be  used  for  a  large  constant  number  of  iterations).  There  are  other  variations  to  handle 
special  cases,  such  as  a  command  to  handle  general  recursive  procedures. 
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Once  SDVS  has  “arrived”  at  a  state  that  the  user  knows  (or  hopes)  will  satisfy  the  conditions 
to  be  proved,  SDVS  must  be  convinced  that  these  conditions  are  true.  Thus,  SDVS  has 
some  explicit  facts  about  the  state  listed  in  its  database,  which  perhaps  do  not  include 
verbatim  the  required  condition.  The  problem  is  then  to  prove  the  “static”  theorem  that 
those  facts  imply  the  required  condition.  This  is  a  theorem  of  ordinary  mathematics.  The 
domains  associated  with  these  theorems  frequently  involve  bitstrings,  integers,  arrays,  and 
the  like.  Also,  a  knowledge  of  basic  propositioned  logic,  equality,  and  some  quantification 
theory  is  often  needed. 

In  these  domains  (and  others)  SDVS  has  a  mix  of  automatic  deduction  capability  and 
axioms  that  may  be  invoked  by  the  user  when  proving  theorems.  As  mentioned  above, 
there  are  two  reasons  for  such  a  mix:  For  theoretical  reasons  of  impossibility  or  inefficiency, 
some  deductions  cannot  be  done  automaticaUy,  or  else  a  totally  nonautomatic  deduction 
capability  would  be  too  time-consuming  for  the  user. 


2.5  Installing  SDVS 

SDVS  is  available  on  magnetic  tape  in  three  different  formats:  source  code;  object  code  for 
Franz  AUegro  Common  Lisp  (FACT);  and  as  a  standalone  executable  utilizing  the  Franz 
Allegro  Runtime  package.  Each  format  requires  its  own  procedure  for  creating  or  loading 
SDVS,  as  outlined  below.  However,  the  procedure  for  reading  the  system  files  from  the  tape 
is  the  same  for  all  formats. 

SOFTWARE  REQUIREMENTS 

SDVS  currently  runs  under  Franz  Allegro  Common  Lisp  release  4.2.  SDVS  is  also  available 
as  a  standalone  executable  utilizing  the  Franz  Allegro  Runtime  package;  users  of  this  version 
of  SDVS  are  not  required  to  supply  their  own  Common  Lisp  environment.  SDVS  assumes 
that  the  underlying  operating  system  is  Unix,  Sun  OS  4.1,  or  equivalent. 

HARDWARE  REQUIREMENTS 

The  FACL  binary  and  FACL  runtime  versions  of  SDVS  require  a  Sparc  processor.  The 
source  code  should  run  under  FACL  on  other  architectures  without  modification,  although 
this  has  not  been  tested.  SDVS  should  port  easily  to  other  Common  Lisp  implementations 
on  other  architectures,  although,  again,  this  has  not  been  done. 

DISK  SPACE  REQUIREMENTS 

Table  1  gives  the  disk  space  requirements  for  SDVS  13.  “Installed”  represents  the  disk 
requirements  of  the  system  after  SDVS  has  been  installed,  and  assumes  that  the  tar  file 
from  the  tape  has  been  recompressed.  The  size  of  your  installed  executable  image,  if  you 
are  building  SDVS  from  the  source  or  either  binary  version,  will  depend  on  the  size  of  your 
(vanilla)  Common  Lisp  image.  These  numbers  are  therefore  approximate.  All  numbers  are 
in  megabytes  (MB). 
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Table  1:  Disk  Space  Requirements  for  SDVS  13,  in  MB 


To  Load  From  Tape  Installed 


Source  (.lisp) 

??? 

N/A 

Franz  Object  (.fasl) 

??? 

??? 

Franz  Runtime 

??? 

??? 

READING  THE  SYSTEM  FILES 

First,  you  should  create  a  top-level  directory  to  contain  aU  of  the  files  and  subdirectories 
associated  with  SDVS.  On  our  system,  this  directory  is  called  versys  (for  VERification 
SYStem)  and  resides  as  a  subdirectory  under  /u  giving  /u/versys.  Although  you  can  give 
your  directory  any  name,  we  suggest  you  use  the  same  name  for  compatibility;  yours  can 
be  located  anywhere,  however.  For  example,  you  might  put  it  as  a  subdirectory  of  /usr/lib^ 
giving  /usr/lib/versys.  For  the  examples  below,  we  assume  you  have  /usr /lib/ versys  as  your 
top-level  directory. 

Next,  you  will  want  to  load  the  SDVS  system  tar  file  from  the  tape.  To  do  this,  create  a 
imp  directory  in  your  top-level  versys  directory,  connect  (cd)  to  it,  and  extract  [tar)  the 
system  tar  file  as  follows  ([unix]  is  the  system  prompt): 

[unix]  tar  xfmv  xxx 

where  xxx  is  the  device  name  for  your  tape  drive,  e.g.  /dev/rstO.  This  will  create  a  file 
named  sdvsnn-xxarz.tar.Z  where  nn  is  the  current  releaise  number  (e.g.  13)  and  xxxx  is 
lisp  (for  source  files),  f asl  (for  FACL  object),  or  runtime  (for  FACL  runtime).  The  file 
is  compressed,  so  it  must  be  uncompressed; 

[unix]  uncompress  sdvsnn-xxxxAar 

replacing  nn  and  xxxx  appropriately. 

Now,  the  system  directories  must  be  extracted  from  the  tar  file: 

[unix]  tar  xfmv  sdvsnn-xxxxAar 

This  process  creates  a  file  structure  containing  the  individual  files  from  which  the  SDVS 
system  can  be  used  or  built.  Once  this  process  is  complete,  you  may  delete  sdvsnn-xxxx.  tax 
if  you  feel  you  have  no  further  need  for  it.  An  alternative  is  to  recompress  the  file: 

[unix]  compress  sdvsnn-xxxx,tar 

Both  will  save  disk  space. 

Before  you  can  build  and  use  an  SDVS  executable  image  or  use  the  FACL  Runtime  exe¬ 
cutable,  you  must  define  a  UNIX  environment  variable  as  follows.  This  can  be  done  directly 
in  the  shell  in  which  you  plan  to  build  or  use  SDVS  or  by  adding  the  command  to  your 
.  cshrc  file. 
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[unix]  setenv  SDVSJDIR  ^‘/usr/lib/ver$ys/” 

Of  course,  you  will  need  to  supply  the  correct  path  you  have  chosen  for  your  top-level 
directory.  Please  note  the  slash  (/)  character  at  the  end;  it  is  required. 

BUILDING  AN  SDVS  EXECUTABLE  IMAGE 

Once  you  have  aU  of  the  system  files  available,  you  can  build  an  executable  SDVS  image. 
To  do  this,  you  must  start  up  a  (vanilla)  Common  Lisp  session  (either  LCL  or  FACL)  and 
load  the  init-sdvs.lisp  file  found  in  your  top-level  directory.  (If  you  don’t  know  how  to  start 
up  a  Common  Lisp  session,  see  your  system  administrator.)  NOTE:  If  building  SDVS  on 
top  of  LCL,  before  loading  the  init-sdvsJisp  file,  you  must  change  Common  Lisp  packages 
to  the  CL-USER  package  by: 

>  (in-package  :cl-user) 

To  load  the  imt-sdvs./isp  file,  type 

>  (load  ^^/usr/lib/versys/init-sdvs^) 

After  the  init-sdvsJisp  file  has  been  loaded,  you  are  ready  to  tell  Lisp  to  build  your  SDVS 
executable.  Two  functions  wiU  do  this:  make-sdvs  builds  from  the  object  files;  make-new- 
sdvs  builds  from  the  source  files  and  compiles  the  entire  system.  Each  function  takes  one 
argument,  the  name  you  wish  to  give  the  executable;  the  executable  will  automatically 
reside  in  your  top-level  directory.  You  may  give  the  executable  any  name  you  want;  in  the 
following  examples,  we  use  the  name  sdvslS  for  our  executable.  Each  of  these  functions  will 
produce  a  trace  of  what  is  happening.  (NOTE:  For  these  operations,  you  must  have  write 
privileges  to  the  appropriate  directories.) 

For  creating  an  SDVS  executable  from  source: 

>  (make-new-sdvs  ^sdvslS^) 

For  creating  an  SDVS  executable  from  binary: 

>  (make-sdvs  ^^sdvslS”) 

You  may  safely  ignore  any  warning  messages  printed  by  the  system.  When  you  return  to 
the  Lisp  prompt,  you  can  exit  Lisp  by 

>  (quit) 

USING  THE  SDVS  RUNTIME  EXECUTABLE 

If  you  have  extracted  the  SDVS  system  files  from  a  tape  containing  the  ^‘runtime”  format, 
the  file  /usr/lib/versys/sdvsl3  (assuming  the  appropriate  top-level  directory)  contains 
the  executable  image.  This  can  be  used  to  run  SDVS  directly,  as  noted  below. 

RUNNING  SDVS 

You  have  gone  through  this  procedure  and  have  created  your  executable.  How  do  you  run 
SDVS?  At  the  Unix  shell,  just  type,  for  example 


[unix]  /usr/lib/versys/sdvsl3 

or  just  sdvslS  if  you  are  conuected  {cd)  to  the  top-level  directory  [/usr/lib/versys  in  our 
example)  or  if  your  SPATE  environment  variable  contains  the  path  to  the  top-level  directory. 

RUNNING  THE  TEST  SUITE 

Included  in  the  SDVS  release  is  a  set  of  tests  that  exercise  the  system.  To  run  these  tests, 
you  must  first  start  up  SDVS.  (After  building  your  SDVS  executable,  you  should  restart 
SDVS  so  that  the  system  is  initialized  properly.)  When  you  get  to  the  SDVS  prompt,  invoke 
the  tests  as  follows: 

<sdvs .  1>  run-test-proofs 


A  very  long  trace  will  appear.  If  the  tests  run  successfully  (this  may  take  over  two  hours  on 
a  Sun  4),  you  wiD  return  to  the  SDVS  prompt.  If  something  goes  wrong,  Lisp  will  ‘‘break,” 
allowing  you  to  examine  the  system;  Lisp  will  print  out  some  diagnostic  information  and 
put  you  at  a  prompt.  If  this  should  happen,  you  may  exit  Lisp  by  typing  (quit). 

You  may  restart  SDVS  by  first  returning  to  the  top  level  of  Lisp  and  invoking  the  function 
sdvs  as  follows: 

>  (sdvs) 

From  the  SDVS  prompt,  you  can  return  to  Lisp  by  typing  the  SDVS  command  bye. 
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3  Dynamic  Execution 


In  this  section  we  present  most  of  the  SDVS  commands  that  advance  the  state  of  a  compn- 
tation  or  program  execution.  (Section  6  is  devoted  to  those  commands  that  do  not  advance 
the  state,  but  rather  enlarge  the  set  of  facts  known  to  SDVS  about  a  specific  state.)  In 
Section  3.1  we  consider  those  commands  that  are  most  often  used  in  proofs  that  involve 
the  translation  of  assignment  statements,  in  Section  3.2  those  commands  that  involve  the 
translation  of  ‘‘case”  program  segments,  and  in  Section  3.4  the  induct  command  that  is 
used  in  proofs  that  involve  ‘loop”  program  segments.  Finally,  in  Section  3.3  we  consider 
ways  of  proving  state  deltas  that  are  assertions  about  the  current  state  or  about  aU  future 
states. 

Henceforth,  in  the  system-user  dialogue,  typewriter  print  is  system  output  and  italic 
print  is  user  input.  In  the  discussion  of  the  examples,  mathematical  formulas  and  terms  are 
printed  in  TeX  math  mode. 

3,1  Straight-line  Proofs 

In  this  section  we  present  in  a  very  leisurely  fashion  two  simple  examples  that  will  introduce 
the  reader  to  an  extensive  part  of  the  SDVS  proof  environment. 


Example  1  In  the  first  example  we  prove  that  the  state  delta  translation  of  the  program 
P  in  Section  2.1  implies  its  specification,  namely,  that  if  the  initial  values  of  x  and  y  are 
2  and  3,  respectively,  and  z  is  assigned  the  value  of  r  +  y,  then  there  wiU  be  a  time  when 
the  values  of  r,  y,  and  2:  will  be  2,  3,  and  5,  respectively.  Lest  the  reader  be  alarmed,  we 
note  that  the  assignment  of  concrete  values  to  the  variables  is  only  for  pedagogic  reasons: 
in  most  of  our  examples,  the  values  of  the  program  variables  will  be  symbolic. 

We  first  create  the  state  delta  that  corresponds  to  the  assignment  statement 


z  X  +  y 

using  the  createsd  command. 


<sdvs .  1>  createsd 

name :  assign,  sd 
[SD  pre :  true 
comod[]  :  all 
iftodC]  *  z 
post:  #z=.x-h-y 

] 


If  assign.sd  is  true  at  time  to?  then  there  is  a  time  ti  >  to  such  that  z{ti)  =  x{to)  +  y{to) 
and  such  that  the  values  of  x  and  y  remain  constant  in  the  interval  [to?fi]  (because  of  the 
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modification  list,  only  z  may  change  its  value  in  this  time  interval).  Hence  x{ti)  =  x{to)y 
and  y{ti)  = 

The  pretty-print  command  pp  displays  the  state  delta  associated  with  a  given  state  delta 
name: 

<sdvs.l>  pp 
object:  sd 

state  delta  name:  assign.sd 

[sd  pre:  (true) 
comod:  (all) 
mod:  (z) 

post:  (#z  =  .X  +  .y)] 

We  now  create  the  state  delta  that  asserts  that  the  state  delta  translation  of  P  implies  the 
specification  of  P. 

<  s  dvs .  1  >  createsd 

name:  exampleLsd 

[SD  pre:  covering ( all jX, y ,z) ,  .x=2,  ^y=3^  formula(assign.sd) 
comod  []  :  all 
mod[]  :  z 

post:  #x=2,  #y=3,  #z=5 

] 

Note  that  the  proper  way  to  include  the  state  delta  a$sign,sd  in  the  precondition  (or 
postcondition)  of  examplel.sd  is  to  include  it  with  ‘^for7nula{assign.sdy\  Also  note  that 
commas  at  the  top  level  of  the  precondition  and  postcondition  of  a  state  delta  are  interpreted 
as  “and”. 

The  initialization  command  init  should  always  be  used  prior  to  the  beginning  of  a  top-level 
proof.  The  command  clears  any  knowledge  that  the  system  has  acquired  in  a  given  session 
(apart  from  the  already  established  association  of  names  with  formulas). 

<sdvs.l>  init 

proof  name  □  :  <  CR> 

State  Delta  Verification  System,  Version  13 
Restricted  to  authorized  users  only. 

SDVS  has  a  list  of  flags  that  may  be  set  by  the  user: 

<sdvs.l>  flags 
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abbreviationlevel  =  none 

acceptf ileproof s  =  on 

autoclose  =  on 

checkexistence  =  off 

checks3rntax  =  on 

displa3riapsds  =  on 

ekltraceflag  =  off 

enumerate  =  off 

invariance  =  off 

optimizeassignments  =  simp 

ppdottednames  =  off 

pplinewidth  =75 

reportpropagations  =  on 

showstats  =  off 

shows tep#  =  off 

strongcoverings  =  off 

stronglytyped  =  off 

traceflag  =  on 

uniquenamelevel  =  1 

usedots  =  off 

weaknext.tr  =  off 


Type  ’help  flags’  for  a  description. 

If  the  autoclose  flag  is  set  to  ^‘off”,  SDVS  will  not  usually  “close”’'  the  proof  of  a  state  delta, 
even  if  the  goal  (the  postcondition)  of  the  state  delta  has  been  achieved  (reached). 

<sdvs.l>  setflag 

flag  variable:  autoclose 
on  or  off  [off] :  off 

setflag  autoclose  —  off 

We  are  now  ready  to  prove  example!, sd. 

<sdvs.2>  prove 

state  delta  []:  examplel.sd 
proof  □  :  <  CR> 

open  —  [sd  pre:  (covering(all,x,y,z) , .x  =  2,.y  =  3,formula(assign.sd)) 
comod:  (all) 
mod:  (z) 

proof  of  a  state  delta  is  closed  if  the  proof  is  complete. 
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post:  (#x  =  2,#y  =  3,#z  =  5)] 


Complete  the  proof . 

SDVS  has  now  opened  the  proof  of  example!, sd:  it  has  advanced  the  state  (subject  to 
the  constraints  of  the  comodification  list  “all”)  to  a  time  at  which  the  precondition  of 
the  state  delta  is  asserted  (to  be  true),  and  has  placed  the  translation  of  the  postcondition 
at  the  top  of  its  goal  stack.  It  has  also  noted  the  modification  list  “z”;  by  doing  so,  any 
advancement  of  the  state  must  henceforth  be  made  subject  to  this  modification  list,  that 
is,  any  advancement  must  be  restricted  to  possible  changes  in  the  value  of  z  only. 

Since  the  precondition  has  been  asserted  to  be  true,  the  values  of  x  and  y  must  be  2  and 
3,  respectively.  This  may  be  checked  by  the  simp  (simplify)  command.  Recall  that  the 
current  value  of  a  place  a  is  denoted  by  .a  and  not  by  :^a. 

<sdvs.2.1>  simp 
expression:  ,x 


2 

<sdvs.2.1>  simp 
expression:  ,y 


3 


The  value  of  at  this  point  is  symbolic  and  indeterminate: 

<sdvs.2.1>  simp 
expression:  .z 

z\5 

Since  assign.sd  is  in  the  precondition,  it  is  now  true.  This  may  be  ascertained  by  the 
usable  query  which  displays  the  state  deltas  (and  the  quantified  formulas)  that  are  true  in 
the  current  state. 

<sdvs,2.1>  usable 


u(l) 


[sd  pre: 
comod: 

mod: 

post: 


(true) 

(all) 

(z) 

(#z  =  .X  +  .y)] 


No  usable  quantified  formulas. 
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A  state  delta  that  is  true  at  the  current  time  may  not  be  ‘‘applicable.”  To  be  apphcable, 
its  precondition  must  also  be  true  at  the  current  time.  Since  the  precondition  of  assign.sd 
is  always  true,  assigned  is  now  applicable.  This  may  be  checked  by  the  nsd  command, 
which  displays  the  most  recent  state  delta  that  the  system  knows  to  be  applicable. 

<sdvs.2.1>  nsd 

[sd  pre:  (true) 
comod:  (all) 
mod:  (z) 

post:  (#z  =  .x  +  .y)] 

At  any  point  in  the  course  of  a  proof  the  user  may  ask  SDVS  to  hst  the  goals  of  the  most 
current  proof  that  it  does  not  know  to  be  true: 

<  sdvs .  2 . 1  >  whynotgoal 
simplify?  [no]  :  <  CR> 

g(3)  #z  =  6 

The  apply  command  is  used  to  advance  the  state  by  “applying”  an  applicable  state  delta 
whose  modification  list  is  a  sublist  of  the  modification  list  of  the  state  delta  to  be  proved. 
If  no  argument  is  given,  SDVS  applies  the  most  recent  applicable  state  delta: 

<sdvs.2,l>  apply 

s  d/number  [highest  applicable/once]  :  <CR> 

apply  —  [sd  pre:  (true) 
comod:  (all) 
mod:  (z) 

post:  (#z  =  .X  +  .y)] 

SDVS  executes  the  application  of  a  state  delta  S  by 

•  hnking  every  upper-level  dotted  place  a  in  the  postcondition  of  S  to  any  information 
about  a  it  currently  has, 

•  removing  any  information  about  the  current  state  whose  truth  depends  on  the  values 
of  places  in  the  modification  hst  of  5,  and 

•  asserting  the  postcondition  of  5. 

Thus  the  application  of  assign.sd  advances  the  state  to  a  time  at  which  x  and  y  have 
retained  their  previous  values  and  at  which  the  value  of  z  is  asserted  to  be  equal  to  the 
sum  of  these  two  previous  values.  Furthermore,  assign.sd  is  no  longer  known  to  be  true  in 
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this  state  (because  its  comodification  list  did  not  allow  anything  to  change)  and  is  thus  no 
longer  usable. 

Let  us  check  these  facts: 

<sdvs.2.2>  simp 
expression:  .x 

2 

<sdvs.2.2>  simp 
expression:  .y 

3 

<sdvs.2.2>  simp 
expression:  ,z 

5 

<sdvs.2.2>  usable 
No  usable  state  deltas. 

No  usable  quantified  formulas. 

Thus  our  goal  has  been  reached.  SDVS  has  not  automatically  closed  the  proof  because  the 
“autoclose”  flag  is  off. 

Let  us  check  the  goals  once  more: 

<sdvs .  2 . 2>  whynotgoal 
simplify?  [no]  :  <  CR> 

The  goal  is  TRUE.  Type  'close'. 

The  command  close  will  close  the  proof: 

<sdvs.2.2>  close 
close  —  1  steps/applications 


Once  a  proof  of  a  state  delta  is  closed,  the  state  delta  becomes  true  (usable)  but  any 
information  gained  during  its  proof  is  lost  and  any  information  that  was  lost  after  its  proof 
was  opened  is  restored:  the  state  is  “popped”  to  the  time  before  the  “prove”  command  was 
used  to  prove  it: 

<sdvs.3>  simp 
expression:  ,x 

x\7 

<sdvs.3>  simp 
expression:  .y 

y\8 

<sdvs.3>  simp 
expression:  .z 

z\9 

<sdvs,3>  usable 

u(l)  [sd  pre:  (covering(all,x,y,z) , .x  =  2,.y  =  3,formula(assign.sd)) 
comod:  (all) 
mod:  (z) 

post:  (#x  =  2,#y  =  3,#z  =  5)] 


No  usable  quantified  formulas. 

Note  that  although  examplel.sd  is  usable,  it  is  not  applicable,  because  its  precondition  is 
not  necessarily  true: 

<sdvs.3>  nsd 

No  applicable  state  deltas. 

A  proof  that  has  just  closed  may  be  given  a  name  and  stored  temporarily  in  the  system 
(for  the  duration  of  the  current  session  only)  using  the  dump-proof  command: 

<  s  dvs .  3  >  dump-proof 

name :  example  1 .  sd,  proof 

Current  proof  dtxmped  to  examplel .sd. proof . 
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This  command  must  be  given  prior  to  an  init  command. 

Now  let  us  initialize  the  system  once  more  to  demonstrate  that  init  will  erase  examplel.sd 
from  the  usable  list: 

<sdvs.3>  init 

proof  name  []  :  <  CR> 

State  Delta  Verification  System,  Version  13 
Restricted  to  authorized  users  only. 

<sdvs.l>  usable 
No  usable  state  deltas. 

No  usable  quantified  formulas. 

The  saved  proof  ^^examplel.sd.proof”  may  be  run  in  batch  mode  by  means  of  the  init  or 
interpret  commands. 

<sdvs.l>  init 

proof  name[]:  exampleLsd.proof 
State  Delta  Verification  System,  Version  13 
Restricted  to  authorized  users  only, 
setflag  autoclose  —  off 

open  —  [sd  pre:  (covering(all,x,y,z) , .x  =  2,.y  =  3,formula(assign.sd)) 
comod:  (all) 
mod:  (z) 

post:  (#x  =  2,#y  =  3,#z  =  5)] 

apply  —  [sd  pre:  (true) 
comod:  (all) 
mod:  (z) 

post:  (#z  =  .X  +  .y)] 
close  —  1  steps/applications 

It  may  also  be  pretty-printed  by  the  pp  command: 


<sdvs.3>  pp 
object:  proof 

proof  name:  example l.sd.proof 

proof  examplel. sd. proof : 

(setflag  autoclose  off, 
prove  examplel. sd 
proof : 

(apply  u(l), 
close)) 

But  this  is  true  only  during  the  current  session.  To  store  in  a  file  the  proof  and  the 
state  deltas  created  in  this  SDVS  session,  the  user  may  write  them  by  means  of  the  write 
command: 


<sdvs.3>  write 

path  name [testproofs/foo. proof s] 
state  delta  names  [] 
proof  names  □ 
axiom  names  □ 
lemma  names  [] 
formula  names  [] 
formulas  names  [] 
macro  names  [] 
datatype  names  [] 
adalemma  names  □ 
vhdllemma  names  [] 


tutorial/ example  1 
assign. sd^  example  Lsd 
example  1 .  sd.  proof 
<CR> 

<CR> 

<CR> 

<CR> 

<CR> 

<CR> 

<CR> 

<CR> 


Write  to  file  "tutorial/examplel'‘  —  (assign. sd, examplel. sd, 

examplel . sd . proof) 


Furthermore  the  association  of  names  with  formulas  in  the  current  session  may  be  severed 
by  the  delete  command: 

<sdvs.3>  delete 

object  t3rpe:  proof 

object  name:  examplel. sd.proof 
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<sdvs.3>  delete 
ob j  ect  type :  sd 
object  name:  assign.sd 

<sdvs.3>  pp 
object:  sd 

state  delta  name:  assign.sd 

The  name  assign.sd  is  not  associated  with  a  state  delta. 

pp  error:  untoown  state  delta 

<sdvs.3>  pp 
object:  proof 

proof  name :  example l.sd. proof 

The  name  example 1 .sd. proof  is  not  associated  with  a  proof, 
pp  error:  unknown  proof 

In  any  new  session  with  SDVS,  these  associations  may  be  read  from  the  file 
<sdvs.3>  read 

path  name[tutorial/examplel]  :  tutorial/ example  1 

Definitions  read  from  file  **tutorial/examplel" 

—  ( assign . sd , example 1 . sd , examplel . sd . proof ) 

and  executed  via  the  init  command  or  the  interpret  command: 

<sdvs .  1>  interpret 

proof  name:  example Lsd.proof 

setflag  autoclose  —  off 

open  —  [sd  pre:  (covering(all,x,y,z) , .x  =  2,.y  =  3, formula (assign.sd)) 
comod:  (all) 
mod:  (z) 

post:  (#x  =  2,#y  =  3,#z  =  5)] 

apply  --  [sd  pre:  (true) 
comod:  (all) 
mod:  (z) 

post :  (#z  =  .X  +  .y)] 


26 


close  —  1  steps/applications 


The  main  difference  between  the  init  command  and  the  interpret  command  in  running  a 
batch  proof  is  that  the  interpret  command  does  not  initialize  the  system  prior  to  running 
the  proof.  Thus  in  the  cases  in  which  we  want  to  run  a  batch  proof  of  a  state  delta  within 
the  proof  of  another  state  delta,  the  interpret  command  is  appropriate. 


Example  2  This  second  simple  example  differs  from  the  first  primarily  in  that  the  local 
variables  have  only  symbolic  values.  Proofs  of  such  programs  are  said  to  be  done  by  symbolic 
execution.  The  example  is  a  proof  that  the  state  delta  translation  of  the  program  segment 

Q 


temp  :=  x; 

X  :=  y; 
y  :=  temp; 

implies  that  at  the  end  of  the  execution  of  Q,  x  and  y  will  have  exchanged  their  initial  values. 
The  example  also  Ulustrates  the  translation  of  a  program  consisting  of  several  statements 
to  a  nested  state  delta.  The  translation  of  the  assignment  statement 

y  :=  temp 

is  the  state  delta  assign, temp, to, y,sd: 

[sd  pre:  (true)  comod:  (all)  mod:  (y)  post:  (#y  =  .temp)] 

The  translation  of  the  assignment  statement 

X  :=  y 

with  its  continuation  is  the  state  delta  assign, y, to, x,sd\ 

[sd  pre:  (true) 
comod:  (all) 
mod:  (x) 

post:  (#x  =  .y ,formula(assign.temp .to.y.sd) )] 

The  truth  of  assign, y, to, x,sd  at  a  time  ti^  implies  that  there  are  times  such 

that 
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•  x{ti^)  =  and  ^(^,3)  =  temp(ti^)  and 

•  only  X  may  change  its  value  in  the  interval  and 

•  only  y  may  change  its  value  in  the  interval 

The  translation  of  the  assignment  statement 

temp  :=  x 

with  its  continuation  is  the  state  delta  assign. x do, temp, sd\ 

[sd  pre:  (true) 
comod:  (all) 
mod:  (temp) 

post:  (#temp  =  .x,formula(assign.y.to.x.sd))] 

This  state  delta  is  in  fact  the  state  delta  translation  of  the  program  segment  Q.  Finally, 
the  assertion  that  the  translation  of  Q  implies  the  specification  of  Q  is  the  state  delta 
example2.sd: 

[sd  pre:  (covering(all,x,y ,temp) ,formula(assign,x. to .temp . sd) ) 
comod:  (all) 
mod:  (all) 

post:  (#x  =  .y,#y  =  .x)] 

Now  let  us  open  the  proof  of  example2,sd: 

<sdvs.l>  prove 

state  delta n  :  example2.sd 
proof  <CR> 

open  —  [sd  pre:  (covering(all, x,y, temp) ,formula(assign.x. to. temp. sd)) 
comod:  (all) 
mod:  (all) 

post:  (#x  =  -y,#y  =  .x)] 

Complete  the  proof . 

The  opening  of  the  proof  of  example2.sd  asserts  its  precondition  at  the  initial  state  of  the 
computational  model.  At  this  state,  the  variables  x  and  y  are  given  symbolic  values  of  the 
form  ^‘variablename\number'\  where  ‘‘numbef^  is  a  positive  integer  that  is  generated  in 
an  indeterminate  manner.  These  values  are  listed  by  the  ppeq  (pretty-print  equivalence 
class)  command: 
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<sdvs.l.l>  ppeq 
expression:  ,x 

eqclass  =  x\21 

<sdvs.l.l>  pp€>q 
expression:  .y 

eqclass  =  y\20 


<sdvs.l.l>  ppeq 
expression:  .temp 

eqclass  =  temp\22 

The  goal  of  the  proof  of  example2.sd,  which  is  the  interpreted  postcondition  of  example2.sd, 
may  be  viewed  by  means  of  the  goals  query: 

<sdvs.l.l>  goals 

g(l)  #x  =  y\20 
g(2)  #y  =  x\21 

Since  the  precondition  of  example2,sd  has  been  asserted,  the  state  delta  assign. x, to, temp. sd 
is  usable  (true),  and  moreover,  since  its  precondition  is  also  true  at  the  current  state,  it  is 
also  applicable.  This  latter  fact  may  be  ascertained  via  the  query  applicable,  to  which 
SDVS  responds  with  a  list  of  all  the  state  deltas  that  it  knows  to  be  applicable  at  the  current 
state: 


<  sdvs .  1 . 1  >  applicable 


u(l)  [sd  pre:  (true) 
comod:  (all) 
mod:  (temp) 

post:  (#temp  =  .x,formula(assign.y.to.x.sd))3 
This  state  delta  may  be  applied  via  the  apply  command  with  the  parameters  u  and  1: 


<sdvs.l.l>  apply 

sd/number [highest  applicable/once] :  u 

number:  1 


apply  —  [sd  pre: 

comod: 

mod: 

post: 


(true) 

(all) 

(temp) 

(#temp  =  ,x,formula(assign.y,to.x.sd))] 
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The  state  has  now  been  advanced  to  a  time  at  which  the  symbolic  value  of  temp  is  the 
previons  value  of  x,  and  x  and  y  have  retained  their  values: 

<sdvs.l.2>  ppeq 
expression:  .x 

eqclass  =  x\21 

<sdvs.l.2>  ppeq 
expression:  ,y 

eqclass  =  y\20 

<sdvs.l.2>  ppeq 
expression:  .temp 

eqclass  =  x\21 

Furthermore,  at  this  new  state,  assign.x.to.temp.sdis  no  longer  necessarily  true,  because  its 
comodification  list  has  a  nonempty  intersection  with  the  modification  list  of  the  state  delta 
that  was  applied.  Thus,  it  is  also  not  applicable,  but  assign.y.to.x.sd  is  applicable  since  it 
was  asserted  to  be  true  by  the  application  and  its  precondition  is  always  true.  Let  us  note 
this  fact  and  apply  the  state  delta  by  using  another  parameter  for  the  apply  command, 
namely,  the  name  of  the  state  delta  to  be  applied: 

<sdvs .  1 .2>  applicable 

u(l)  [sd  pre:  (true) 
comod:  (all) 
mod:  (x) 

post:  (#x  =  .y,formula(assign.temp.to.y .sd))] 

<sdvs.l.2>  apply 

s d/number  [highest  applicable/once]  :  assign. y.to.x.sd 

apply  —  [sd  pre:  (true) 
comod:  (all) 
mod:  (x) 

post:  (#x  =  .y,formula(assign.temp.to.y.sd))] 

The  state  has  been  advanced  once  more.  Let  us  check  the  symbolic  values  of  the  variables 
in  the  computation: 


<sdvs.l.3>  ppeq 
expression:  .x 
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eqclass  =  y\20 

<sdvs.l.3>  ppeq 
expression:  .y 

eqclass  =  y\20 

<sdvs.l.3>  ppeq 
expression:  Aemp 

eqclass  =  x\21 

As  expected,  one  of  the  goals  has  been  achieved:  the  current  value  of  x  is  the  initial  value 
of  y.  Once  more,  the  goals  are: 

<sdvs.l.3>  goals 

g(l)  #x  =  y\20 
g(2)  #y  =  x\21 

The  query  whynotgoal  will  demonstrate  that  one  of  the  goals  has  indeed  been  achieved 
and  will  list  the  remaining  ones: 

<sdvs .  1 . 3>  whynotgoal 
simplify?  [no]  :  <  CR> 

g(2)  #y  =  x\21 

The  query  ps  (proof  state)  will  show  the  history  of  the  proof: 

<sdvs,1.3>  ps 

«  initial  state  >> 
proof  in  progress  of  example2.sd  <3> 
apply  u(l)  <2> 
apply  assign. y. to. x.sd  <1> 

— >  you  are  here  < — 

Had  we  erred  in  the  course  of  the  proof,  we  would  want  to  go  back  to  the  point  before  the 
error  and  start  anew.  This  may  accomplished  via  the  pop  command: 

<sdvs.l.3>  pop 

number  of  levels [1]:  2 

2  levels  popped. 
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We  are  now  at  the  point  before  the  first  apply: 


<sdvs.l.l>  ps 

«  initial  state  >> 

proof  in  progress  of  exaitiple2 .  sd  <1> 

— >  you  are  here  < — 

The  command  apply  has  another  use:  with  a  number  n  as  the  parameter,  SDVS  will  try 
to  apply  n  state  deltas,  using  at  each  point  the  first  applicable  state  delta  in  its  list: 


<sdvs.l.l>  apply 

sd/number [highest  applicable/once] :  2 


apply  — 


[sd  pre: 
comod: 

mod: 
post : 


(true) 

(all) 

(temp) 

(#temp  =  .x,formula(assign.y .to.x.sd))] 


apply  —  [sd  pre: 

comod: 

mod: 
post : 


(true) 

(all) 

(x) 

(#x  =  .y,f ormula(assign.temp .to.y .sd))] 


<sdvs.l.3>  ps 

<<  initial  state  >> 
proof  in  progress  of  example2.sd  <3> 
apply  <2> 
apply  <1> 

— >  you  are  here  < — 

So  we  are  back  to  the  state  attained  after  two  applications. 

To  illustrate  another  important  way  to  advance  the  state  of  computation  by  the  application 
of  state  deltas,  we  pop  back  again 

<sdvs.l.3>  pop 

number  of  levels  [1]:  2 

2  levels  popped. 

and  get  some  help  on  the  until  command: 

<sdvs.l.l>  help 
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with  [all]  :  until 


until  <postformula> 

Symbolically  executes  highest  applicable  state  deltas  until 

<postf ormula>  is  TRUE,  there  axe  no  more  applicable  state  deltas,  or  the 

^ autoclose’  flag  is  on  and  the  current  goal  is  satisfied. 

Let  us  apply  until  the  goal  #x  =  .y  has  been  achieved,  and  then  check  where  we  are  in  the 
proof: 

<sdvs.l.l>  until 
formula:  #x=.y 

apply  —  [sd  pre:  (true) 
comod:  (all) 
mod:  (temp) 

post:  (#temp  =  .x,formula(assign.y.to.x.sd))] 

apply  —  [sd  pre:  (true) 
comod:  (all) 
mod:  (x) 

post:  (#x  =  .y,formula(assign.temp.to.y.sd))] 
until  break  point  reached  —  #x  =  .y 

One  more  application  should  close  the  proof,  but  let  us  first  set  the  autoclose  flag  to  ‘‘off.” 

<sdvs.l.3>  setflag 

flag  variable:  autoclose 
on  or  off [on] :  off 

setflag  autoclose  —  off 

We  now  check  to  ensure  that  assign,temp.to,y.sd  is  applicable  and  then  apply  it: 

<sdvs .  1 .4>  applicable 

u(l)  [sd  pre:  (true)  comod:  (all)  mod:  (y)  post:  (#y  =  .temp)] 

<sdvs.l.4>  apply 

sd/number [highest  applicable/once]:  <CR> 

apply  —  [sd  pre:  (true) 
comod:  (all) 
mod:  (y) 

post:  (#y  =  .temp)] 


The  symbolic  values  of  x  and  y  should  now  meet  the  specification: 


<sdvs.l.5>  ppeq 
expression:  .y 

eqclass  =  x\21 

<sdvs.l.5>  ppeq 
expression:  ,x 

eqclass  =  y\20 

If  the  autoclose  flag  were  ‘‘on,”  SDVS  would  have  automatically  closed  the  proof  after  the 
last  application,  because  it  knows  that  all  of  the  goals  have  been  met: 

<  s  dvs .  1 . 5  >  whynotgoal 
simplify? [no]  :  <CR> 

The  goal  is  TRUE.  Type  ‘close’. 

Let  us  look  at  the  proof  state: 

<sdvs.l.5>  ps 

«  initial  state  >> 
proof  in  progress  of  example2 .  sd  <5> 
apply  (until  #x  =  .y)  <4> 
apply  (imtil  . . . )  <3> 
autoclose  flag  turned  off  <2> 
apply  u(l)  <1> 

—  >  you  aire  here  < — 

Close  the  proof: 

<sdvs.l.5>  close 

close  —  4  steps/applications 

And  see  what  ps  has  to  say: 

<sdvs.2>  ps 


«  initial  state  >> 
proved  exainple2.sd  <1> 
—  >  you  axe  here  < — 
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At  this  point  example2,sd  is  usable  but  not  applicable.  We  could  dump  its  proof  via  the 
dump-proof  command  or  quit  the  proof  via  the  quit  command  (which  will  end  the  proof 
session  and  associate  the  proof  with  the  name  “sdvsproof”).  The  command  dump-proof 
does  not  end  the  proof  session,  i.e.,  after  a  dump-proof,  the  most  recently  proved  state 
delta  is  still  usable.  Furthermore,  dump-proof  may  be  used  in  the  middle  of  a  proof.  But 
quit  may  be  used  only  at  the  end  of  a  proof,  and  afterwards  the  state  delta  that  was  proved 
is  no  longer  usable: 

<sdvs.2>  quit 

Q.E.D.  The  proof  for  this  session  is  in  ‘sdvsproof^. 

State  Delta  Verification  System,  Version  13 
Restricted  to  authorized  users  only. 

<sdvs.l>  usable 
No  usable  state  deltas. 


No  usable  quantified  formulas. 

A  proof  may  also  be  pretty-printed: 

<sdvs.l>  pp 
object:  proof 
proof  name :  sdvsproof 

proof  sdvsproof: 

prove  example2.sd 
proof : 

(until  #x  =  .y, 
setflag  autoclose  off, 
apply  u(l), 
close) 

Let  us  turn  the  autoclose  flag  to  “on”  and  prove  example2,sd  using  the  until  command 

with  the  postcondition  of  example2,$d  as  its  goal: 

<sdvs.l>  setflag 

flag  variable:  autoclose 
on  or  off [on] :  on 
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setflag  autoclose  —  on 

<sdvs.2>  init 

proof  name  []  :  <  CR> 

State  Delta  Verification  System,  Version  13 
Restricted  to  authorized  users  only. 

<sdvs.l>  prove 

state  delta []  :  exaTnple2.$d 
proof  □  :  <  CR> 

open  —  [sd  pre:  (covering(all, x,y, temp)  ,formula(assign.x. to. temp. sd)) 
comod:  (all) 
mod:  (all) 

post:  (#x  =  .y,#y  =  .x)] 

Complete  the  proof. 

<sdvs.l.l>  until 

formula:  #x=.y  and  #y=,x 

apply  —  [sd  pre:  (true) 
comod:  (all) 
mod:  (temp) 

post:  (#temp  =  .x,formula(assign.y .to.x.sd))] 

apply  —  [sd  pre:  (true) 
comod:  (all) 
mod:  (x) 

post:  (#x  ~  .y,formula(assign.temp.to.y .sd))] 

apply  —  [sd  pre:  (true) 
comod:  (all) 
mod:  (y) 

post:  (#y  =  .temp)] 
close  —  3  steps/applications 

Now,  quit  will  associate  a  different  proof  with  “sdvsprooP: 

<sdvs.2>  quit 
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Q.E.D.  The  proof  for  this  session  is  in  ^ sdvsproof ^ . 


State  Delta  Verification  System,  Version  13 
Restricted  to  authorized  users  only. 

<sdvs.l>  pp 
object:  proof 
proof  name :  sdvsproof 

proof  sdvsproof: 

prove  example2.sd 

proof:  until  #x  =  .y  &  #y  =  .x 
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3,2  Proofs  by  Cases 


During  the  course  of  a  proof,  a  disjunction  of  two  or  more  formulas  may  be  true,  and  it 
may  be  that  the  proof  can  proceed  only  by  considering  each  disjunct  separately,  i.e.,  it  may 
be  necessary  to  prove  that  each  disjunct  implies  that  the  goal  will  be  achieved.  For  this 
possibility,  SDVS  has  the  cases  and  meases  commands.  Our  next  example  will  feature  the 
use  of  the  cases  command. 


Example  3  Consider  the  following  conditional  statement  R: 

if  X  <=  y  then 
z  :=  y  -  x; 

else 

z  :=  X  -  y; 
end  if 

At  the  end  of  the  execution  of  this  segment,  the  value  of  z  shordd  be  the  absolute  value^  of 
the  difference  of  x  and  y,  or  equivalently,  it  should  be  true  that 

z>Qh{z  =  x  —  y\/z  =  y  —  x) 

The  statement  R  may  be  translated  in  SDVS  as  the  conjunction  of  the  state  delta  if.sd 

[sd  pre:  (.x  le  .y) 
comod:  (all) 
mod:  (z) 

post:  (#z  =  .y  “  .x)] 

and  the  state  delta  else.sd 

[sd  pre:  ( .y  It  .x) 
comod:  (all) 
mod:  (z) 

post:  (#z  =  .X  -  .y)] 

Thus,  the  state  delta  case.sd 

[sd  pre:  (covering(all,x,y ,z) ,formula(if .sd) , formula (else. sd)) 
comod:  (all) 
mod:  (z) 

post:  (#z  ge  0,#z  “  .y  -  .x  or  #z  =  .x  -  .y)] 

®SDVS  has  an  absolute  value  function,  abs,  but  in  most  cases,  proofs  that  involve  it  require  “reading” 
and  invoking  axioms,  a  subject  that  will  be  covered  in  Section  6. 
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asserts  that  the  state  delta  translation  of  R  implies  its  specification. 

Let  ns  initiate  the  proof  of  case,sd: 

<sdvs.l>  init 

proof  name  []  :  <  CR> 

State  Delta  Verification  System,  Version  13 

Restricted  to  authorized  users  only. 

<sdvs.l>  setflag 

flag  Vciriable :  autoclose 
on  or  off [off] :  off 

setflag  autoclose  —  off 

<sdvs.2>  prove 

state  delta  □  :  case.sd 
proof  □  :  <  CR> 

open  —  [sd  pre:  (covering(all,x,y,z) ,formula(if ,sd) ,formula(else.sd)) 
comod:  (all) 
mod:  (z) 
post:  (#z  ge  0, 

#z  =  .y  -  .X  or  #z  =  .x  -  .y)] 

Complete  the  proof. 

The  query  ppl  will  display  the  symbolic  values  of  the  places  x  and  y: 

<sdvs.2.1>  ppl 

places  [all]  :  <  CR> 

X  x\30 

y  y\29 

The  symbolic  value  of  z  is  unimportant  at  this  point,  since  .z  does  not  appear  at  the  top 
level  of  the  postcondition  of  case.sd. 

The  interpreted  postcondition  of  case.sd  is  the  goal  of  the  proof: 

<sdvs.2.1>  goals 
g(l)  #2  ge  0 

g(2)  #2  =  y\29  -  x\30  or  #2  =  x\30  -  y\29 
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And  the  state  deltas  else.sd  and  if.sd  are  usable: 


<sdvs.2.1>  usable 


u(l) 


u(2) 


[sd  pre: 

(.y  It 

•  x) 

comod : 

(all) 

mod: 

(z) 

post : 

(#z  = 

.X  - 

[sd  pre: 

(.X  le 

•y) 

comod : 

(all) 

mod: 

(z) 

post : 

(#z  =  , 

•y  - 

•y)] 


.x)3 


No  usable  quantified  formulas. 

But  they  are  not  applicable:^ 

<sdvs .  2 , 1>  applicable 

The  query  whynotapply  shows  why: 

<sdvs ,  2 . 1  >  whynotapply 

state  delta [  highest  usable]  :  if,$d 

Because  the  following  is  not  known  to  be  true  —  .x  le  .y 

<  sdvs .  2 . 1  >  whynotapply 

state  delta[  highest  usable]  :  else.sd 

Because  the  following  is  not  known  to  be  true  —  .y  It  .x 

Neither  is  applicable  because,  at  this  state,  neither  precondition  is  true.  But  the  disjunction 
of  their  preconditions  is  surely  true: 

<sdvs.2.1>  simp 

expression:  .x  le  .y  or  .y  It  .x 

true 

there  are  usable  state  deltas  but  none  of  which  is  known  to  be  applicable  by  SDVS,  the  applicable 
query  gives  no  information,  because  under  certain  circumstances,  it  may  be  possible  for  the  user  to  prove 
that  one  of  the  usable  state  deltas  is  in  fact  applicable. 
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Since  SDVS  knows  that  the  disjunction  of  these  two  formulas  is  true,  we  may  use  the  cases 
command  to  split  the  proof  of  the  goal  to  the  case  that  ,x  <  .t/  and  to  the  case  that 
In  the  first  case,  ij,sd  wiU  be  applicable,  and  in  the  second  case,  else.sd  will  be  applicable. 
But  in  both  cases,  the  goal  will  remain  the  same,  and  so  wiU  the  modification  list.  The 
comodification  list  wiU  always  be  “all.” 

<sdvs.2.1>  cases 

case  predicate:  ,x  le  .y 

cases  —  .X  le  .y 

open  —  [sd  pre:  (.x  le  .y) 
comod:  (all) 
mod:  (z) 
post:  (#z  ge  0, 

#z  =  y\29  “  x\30  or  #z  =  x\30  -  y\29)] 

The  proof  of  the  first  case  has  been  opened.  The  state  has  not  been  advanced  (the  “all”  in 
the  comodification  list  assures  this),  but  it  is  now  assumed  that  ,x  <  .y: 

<sdvs .  2 . 1 . 1 . 1>  simp 
expression:  .x  le  ,y 

true 

As  we  already  noted,  the  goal  remains  the  same: 

<sdvs .  2 . 1 . 1 . 1>  goals 
g(l)  #z  ge  0 

g(2)  #z  =  y\29  -  x\30  or  #z  =  x\30  -  y\29 
Furthermore,  since  the  state  has  not  been  advanced,  the  same  state  deltas  are  usable: 

<sdvs .  2 . 1 . 1 . 1>  usable 

u(l)  [sd  pre:  (.y  It  .x) 
comod:  (all) 
mod:  (z) 

post:  (#z  =  .X  -  .y)] 

u(2)  [sd  pre:  (.x  le  .y) 
comod:  (all) 
mod:  (z) 
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post:  (#z  =  .y  .x)] 


No  usable  quantified  formulas. 

But  in  this  case,  since  ,x  <  .t/,  if.sd  is  also  applicable: 

<  sdvs .  2 . 1 . 1 . 1  >  applicable 

u(2)  [sd  pre:  (.x  le  .y) 
comod:  (all) 
mod:  (z) 

post:  (#z  =  ,y  -  .x)] 

Let  us  see  where  we  are  in  the  proof,  and  then  apply  if,sd: 

<sdvs  .2. 1. 1 . 1>  p$ 

<<  initial  state  >> 
autoclose  flag  turned  off  <3> 
proof  in  progress  of  case.sd  <2> 

case  analysis  in  progress  on:  .x  le  .y  or  '"(.x  le  .y)  <1> 
1st  case:  in  progress 
— >  you  are  here  < — 

<sdvs  .2. 1. 1 . 1>  apply 

sd/number  [highest  applicable/once]  :  if.sd 

apply  —  [sd  pre:  (.x  le  .y) 
comod:  (all) 
mod:  (z) 

post:  (#z  =  .y  -  .x)] 

We  inquire  if  the  goal  is  true  and  close  the  proof  of  the  first  case: 

<sdvs .  2 . 1 . 1 . 2>  whynotgoal 
simplify?  [no]  :  <  CR> 

The  goal  is  TRUE.  Type  ‘close". 

<sdvs  .2. 1 . 1 .2>  close 

close  —  1  steps/applications 
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open  —  [sd  pre:  ("(.x  le  .y)) 
comod:  (all) 
mod:  (z) 
post:  (#z  ge  0, 

#z  =  y\29  -  x\30  or  #z  =  x\30  -  y\29)] 


Complete  the  proof. 

SDVS  has  automatically  opened  the  proof  of  the  case  .y  <  ,x: 

<sdvs.2. 1 .2. 1>  simp 
expression:  ,y  It  ,x 

true 

At  this  point  there  are  several  usable  state  deltas,  but  only  one  has  a  true  precondition  and 
is  applicable,  else.sd: 

<  sdvs .  2 . 1 . 2 . 1  >  usable 


u(l) 

[sd  pre: 

(.X  le 

•y) 

comod : 

(all) 

mod: 

(z) 

post : 

(#z  ge 

0. 

#z  =  y\29 

-  x\30 

u(2) 

[sd  pre: 

(.y  It 

.x) 

comod : 

(all) 

mod: 

(z) 

post : 

(#z  = 

.X  - 

•y)] 

u(3) 

[sd  pre: 

(.X  le 

•y) 

comod: 

(all) 

mod: 

(z) 

post : 

(#z  = 

•y  - 

.x)] 

No  usable  quantified 

formulas . 

y\29)] 


<  sdvs .  2 . 1 . 2 . 1  >  applicable 

u(2)  [sd  pre:  (.y  It  .x) 
comod:  (all) 
mod:  (z) 

post:  (#z  =  .X  -  .y)] 
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Note  that  the  first  usable  state  delta  is  the  state  delta  that  was  just  proved,  i.e.,  the  first 
case  state  delta.  We  apply  else.sd  and  close  the  proof  of  the  second  case: 

<  sdvs .  2 . 1 . 2 . 1  >  apply 

sd/number  [highest  applicable/once]  :  else.sd 

apply  —  [sd  pre:  (.y  It  .x) 
comod:  (all) 
mod:  (z) 

post:  (#z  =  .X  --  .y)] 

After  the  proof  of  the  second  case,  SDVS  automatically  “joins”  the  two  cases  into  one  state 
delta  and  closes  the  proof  of  case.sd.  (The  “join”  and  close  are  automatic,  even  if  the 
autoclose  flag  is  off.)  Thus  case^sd  is  now  usable: 

<sdvs.3>  usable 

u(l)  [sd  pre:  (covering(all,x,y,2) ,formula(if .sd) ,formula(else.sd)) 
comod:  (all) 
mod:  (z) 

post:  (#z  ge  0,#z  =  ,y  ~  .x  or  #z  =  .x  -  .y)] 


No  usable  quantified  formulas. 

Let  us  quit  and  look  at  the  proof: 

<sdvs.3>  quit 

Q.E.D.  The  proof  for  this  session  is  in  ^sdvsproof’. 

State  Delta  Verification  System,  Version  13 

Restricted  to  authorized  users  only. 

<sdvs.l>  pp 
object:  proof 
proof  name :  sdvsproof 

proof  sdvsproof: 

(setflag  autoclose  off, 
prove  case.sd 
proof : 

cases  .X  le  .y 
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then  proof: 

(apply  if.sd, 
close) 
else  proof: 

(apply  else.sd, 
close)) 


3.3  Proofs  of  Now  and  of  Always 


In  this  section,  we  will  give  some  trivial  examples  of  state  deltas  that  assert  that  a  formula 
is  true  now  and  that  a  formula  is  true  always  (in  the  timeline). 


Example  4  A  state  delta  with  a  comodification  list  of  “all”  and  an  empty  modification 
list  asserts  that  its  precondition  implies  its  postcondition  at  the  current  time.  The  reason 
for  this  is  that  a  comodification  list  of  “all”  does  not  allow  any  variables  to  change  value 
between  now  and  the  precondition  time,  and  the  empty  modification  list  does  not  allow  any 
variables  to  change  value  between  the  precondition  and  postcondition  times.  Thus,  if  the 
precondition  implies  the  postcondition  at  the  current  state,  the  state  delta  is  true. 

Consider  the  state  delta  nowl.sd: 

[sd  pre:  (covering(all,x) , .x  gt  a) 
comod:  (all) 
post:  (#x  gG  a  +  1)] 

It  asserts^^  that  x  >  a  implies  x  >  a  +  1,  which  is  of  course  true.  The  proof  is  trivial. 

<sdvs  .4>  setflag 

flag  variable:  autoclose 
on  or  off  [on] :  off 

setflag  autoclosG  —  off 

<sdvs.5>  init 

proof  name  []  :  <  CR> 

State  Delta  Verification  System,  Version  13 
Restricted  to  authorized  users  only. 

<sdvs.l>  prove 

state  delta  n  :  nowLsd 
proof  n  :  <  CR> 

open  —  [sd  pre:  ( cover ing( all,x) , .x  gt  a) 
comod:  (all) 
post:  (#x  ge  a  +  1)] 

Complete  the  proof. 

Recall  that  in  SDVS,  integer  \s  the  default  type  of  local  and  global  variables. 
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Since  the  precondition  has  been  asserted  and  the  precondition  implies  the  postcondition, 
the  goal  is  true,  and  we  may  close  the  proof. 

<sdvs.l.l>  simp 

expression:  ,x  gt  a 

true 

<sdvs.l.l>  simp 

expression:  ,x  ge  a+1 

true 

<sdvs.l.l>  close 
close  —  0  steps/applications 


Example  5  A  more  interesting  example  of  an  implication  posing  as  a  state  delta  is  now2.sd 

[sd  pre:  (covering (all, x) ,formula(event .x.gt.S.sd)) 
comod:  (all) 

post :  (forniula( event .  x .  ge .  6 .  sd) )  ] 

where  event,x,gt.b,sd  is  the  state  delta 

[sd  pre:  (true)  comod:  (all)  mod:  (x)  post:  (#x  gt  5)] 

and  event, x.ge.Q,sd  is  the  state  delta 

[sd  pre:  (true)  comod:  (all)  mod:  (x)  post:  (#x  ge  6)] 

Clearly,  event, x,gt,b,sd  implies  event, x,ge,6.sd,  which  is  the  assertion  of  now2,sd. 

Let  us  open  the  proof  of  this  implication: 

<sdvs.2>  init 

proof  name  []  :  <  CR> 

State  Delta  Verification  System,  Version  13 
Restricted  to  authorized  users  only. 
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<sdvs.l>  prove 

state  delta []  :  now2.sd 
proof  []  :  <  CR> 

open  —  [sd  pre:  (covering(all,x) ,formula(event .x.gt .5.sd)) 
comod:  (all) 

post :  (formula (event . x .ge . 6 . sd) )] 

Complete  the  proof* 


and  look  at  the  goals  and  the  state  deltas  that  are  applicable: 
<sdvs.l.l>  goals 

g(l)  [sd  pre:  (true)  comod:  (all)  mod:  (x)  post:  (#x  ge  6)] 


<sdvs  *  1 . 1>  applicable 

u(l)  [sd  pre:  (true)  comod:  (all)  mod:  (x)  post:  (#x  gt  5)] 


We  really  do  not  want  to  apply  this  last  state  delta  right  now,  because 

<  s  dv  s .  1 . 1  >  whynotapply 

state  delta[  highest  usable]:  <CR> 

Applicable,  but  must  lead  to  a  contradiction,  because  modlist  too  large. 

The  problem  is  that  the  state  delta  that  we  are  proving,  now2.sd^  has  an  empty  modification 
list  that  does  not  allow  us  to  advance  the  state  under  normal  circumstances.  To  illustrate 
a  point,  we  nevertheless  proceed  with  the  application: 


<sdvs.l.l>  apply 

sd/number [highest  applicable/once]:  <CR> 

apply  —  [sd  pre:  (true) 
comod:  (all) 
mod:  (x) 

post:  (#x  gt  5)] 

Warning:  the  modlist  of  the  last  applied  state  delta  mentions  places  (x) 
outside  of  the  modlist  of  the  state  delta  to  be  proven.  The  current 
proof  can  only  be  closed  by  contradiction. 
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SDVS  will  not  allow  ns  to  close  the  proof  unless  we  can  prove  that  our  apphcation  will 
eventually  lead  to  a  contradiction,  i.e.,  an  inconsistent  state.  If  the  postcondition  of 
event.x.gt.b.sd  did  lead  to  a  contradiction,  for  example,  if  the  postcondition  were  :ff:x  = 
if:x  +  ly  then  we  could  close  the  proof.  But  since  in  this  case  the  postcondition  is  not 
inconsistent,  we  must  pop  back  one  step. 

<sdvs.l.2>  p$ 

«  initial  state  >> 
proof  in  progress  of  now2.sd  <2> 
apply  u(l)  <1> 

—  >  you  are  here  < — 

<sdvs.l.2>  pop 

number  of  levels [1]  :  <CR> 

One  level  popped. 


The  only  way  to  proceed  with  the  proof  is  to  open  the  proof  of  event.x.geS.sd: 
<sdvs.l.l>  goals 

g(l)  [sd  pre:  (true)  comod:  (all)  mod:  (x)  post:  (#x  ge  6)] 

<sdvs.l,l>  prove 
state  delta n  :  g 
number:  1 
proof  []:  <CR> 

open  —  [sd  pre:  (true) 
comod:  (all) 
mod :  (x) 

post:  (#x  ge  6)] 

Complete  the  proof. 


<sdvs .  1 . 1 . 1>  applicable 

u(l)  [sd  pre:  (true)  comod:  (all)  mod:  (x)  post:  (#x  gt  5)] 


At  this  point  the  modification  list  of  the  state  delta  to  be  proven,  event,x.gS,sd^  is  r,  and 
this  list  is  a  sublist  of  the  modification  hst  of  event, x.gt.b.sd.  That  is  why  we  may  apply  it 
without  having  to  reach  a  contradiction: 
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<  sdvs .  1 . 1 . 1  >  whynotapply 

state  deltaC  highest  usable]:  <CR> 

Quite  applicable. 

<sdvs.l.l.l>  apply 

sd/number [highest  applicable/once]:  <CR> 

apply  —  [sd  pre:  (true) 
comod:  (all) 
mod:  (x) 

post:  (#x  gt  5)] 

To  complete  the  proof  we  have  to  close  twice,  since  we  opened  the  proof  of  two  state  deltas 

<sdvs.l.l.2>  close 

close  —  1  steps/applications 
Complete  the  proof. 

<sdvs.l.2>  usable 

u(l)  [sd  pre:  (true)  comod:  (all)  mod:  (x)  post:  (#x  ge  6)] 
u(2)  [sd  pre:  (true)  comod:  (all)  mod:  (x)  post:  (#x  gt  5)] 


No  usable  quantified  formulas. 

<sdvs.l.2>  close 
close  —  1  steps/applications 
<sdvs.2>  usable 

u(l)  [sd  pre:  (covering(all,x) ,formula(event .x.gt .5.sd)) 
comod:  (all) 

post :  (f ormula(event .X .ge . 6 . sd) )] 


No  usable  quantified  formulas. 
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Example  6  A  state  delta  whose  comodificatioii  and  modification  lists  are  both  empty 
asserts  that,  at  every  time  in  the  future,  the  precondition  implies  the  postcondition.  The 
reason  for  this  is  that  since  the  comodification  list  is  empty,  no  constraint  is  made  between 
the  current  time  and  any  future  time  at  which  the  precondition  may  be  true.  Thus,  if  at 
any  future  time  the  precondition  is  true,  then  —  because  the  modification  list  is  empty  — 
the  postcondition  must  be  true  at  that  very  time.  In  particular,  if  the  precondition  is  true, 
then  the  postcondition  must  be  true  now  and  at  every  fixture  time. 

To  illustrate  these  remarks,  we  provide  a  simple  example.  The  state  delta  always.sd 
[sd  pre:  (true)  post:  (#x  gt  #y)] 

asserts  that  the  value  of  x  is  always  greater  than  the  value  of  y.  Thus,  always.sd  in 
conjunction  with  the  state  delta  eventually l.sd 

[sd  pre:  (true)  comod:  (all)  mod:  (all)  post:  (tty  =  100)] 

implies  the  state  delta  eventually2.sd 

[sd  pre:  (true)  comod:  (all)  mod:  (all)  post:  (ttx  gt  100)] 

This  implication  is  asserted  by  always.ex.sd 

[sd  pre :  (cover ing( all ,x ,y) , formula (eventually 1 . sd) ,f ormula(always . sd) ) 
comod:  (all) 

post :  (f ormula(eventually2 . sd) )] 

which  we  proceed  to  prove. 

<sdvs.3>  init 

proof  name  []  :  <  CR> 

State  Delta  Verification  System,  Version  13 

Restricted  to  authorized  users  only. 

<sdvs.l>  pirjve 

state  delta []  :  always.ex.sd 
proof  []  :  <  CR> 

open  —  [sd  pre:  (covering(all ,x,y) ,f ormula(eventuallyl . sd) , 
f ormula(always . sd) ) 
comod:  (all) 

post :  (f ormula(eventually2 . sd) )] 

Complete  the  proof. 
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<sdvs.l.l>  usable 


u(l)  [sd  pre:  (true)  post:  (#x  gt  #y)] 

u(2)  [sd  pre:  (true) 
comod:  (all) 
mod:  (all) 
post:  (#y  =  100)] 


No  usable  quantified  formulas. 

<sdvs  .  1 . 1>  goals 

g(l)  [sd  pre:  (true) 
comod:  (all) 
mod:  (all) 
post:  (#x  gt  100)] 

There  is  only  one  efficient  way  to  proceed: 

<sdvs  .  1 . 1>  p7‘Ove 
state  delta []  :  g 
number:  1 
proof  []  :  <  CR> 

open  --  [sd  pre:  (true) 
comod:  (all) 
mod:  (all) 
post :  (#x  gt  100)] 

Complete  the  proof. 


Because  the  comodification  list  of  e'ventually2.sd  is  all,  euentuallyl .sd  and  always. sd  are 
still  usable  {alumys.sd  will  always  be  usable,  because  its  comodification  list  is  empty,  and 
it  will  always  be  applicable,  because  its  precondition  is  true  and  its  modification  list  is  also 
empty.) 

<sdvs.l.l.l>  xLsahlesds 
u(l)  [sd  pre:  (true)  post:  (#x  gt  #y)] 


u(2)  [sd  pre:  (true) 
comod:  (all) 
mod:  (all) 
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post:  (#y  =  100)] 


We  mtist  now  apply  eventuallyl.sd  and  then  always, sd^  because  the  reverse  order  of  appli¬ 
cation  would  not  reach  the  goal.  To  illustrate  this  point,  let  us  first  apply  always. sd: 

<sdvs  .  1 . 1 . 1>  apply 

sd/number [highest  applicable/once]:  ahvays.sd 

apply  —  [sd  pre:  (true) 

post:  (#x  gt  #y)] 

<sdvs  .  1 . 1 .2>  simp 
expression:  .x  (jt  .y 

true 

<sdvs .  1 . 1 . 2>  apply 

sd/number  [highest  applicable/once]  :  eventuallyl.sd 

apply  —  [sd  pre:  (true) 
comod:  (all) 
mod:  (all) 
post :  (#y  =  100)] 

< sdvs  .  1 . 1 . 3 >  simp 
expression:  .x  gt  .y 

x\51  gt  100 

Becaxise  the  modification  list  of  eventuallyl.sd  ixicliided  x,  the  application  of  eventuallyl.sd 
erased  the  assertion  .x  >  .y  from  the  data  base  of  facts.  So  let  us  pop  back,  apply  in  the 
right  order,  and  then  close  the  two  proofs. 

<sdvs.l.l.3>  pop 

number  of  levels [1]:  2 

2  levels  popped. 

<sdvs .  1 . 1 . 1>  apply 

sd/number  [highest  applicable/once]  :  eventuallyl.sd 

apply  —  [sd  pre:  (true) 
comod:  (all) 
mod:  (all) 
post:  (#y  =  100)] 
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<sdvs.l.l.2>  apply 

sd/number [highest  applicable/once] : 

apply  --  [sd  pre:  (true) 

post:  (#x  gt  #y)] 

<sdvs  .1.1. 3>  close 

close  —  2  steps/applications 

Complete  the  proof. 

<sdvs  .  1 .2>  close 

close  --  1  steps/applications 


ahoays.sd 
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3.4  Proofs  by  Induction 


If  a  state  delta  is  ai)plicable  at  a  certain  point  in  a  proof,  and  if  its  modification  and 
comodification  lists  are  disjoint,  then  the  state  delta  may  be  applicable  a  number  of  times. 
For  example,  this  is  the  case  of  the  state  delta 

[sd  pre:  , i  It  .y 
comod:  x,y 
mod :  s , i 

post:  #s=.s+l  and  #i=.i+l] 

at  time  to  in  the  temporal  structure  M  in  Section  2.2.2.  In  certain  situations  it  is  possible  to 
proceed  with  a  proof  l)y  applying  the  state  delta  a  fixed  number  of  times,  but  in  other  cases 
the  number  of  times  that  the  state  delta  must  l)e  applied  is  not  fixed  but  is  data-dependent. 
For  these  instances,  SDVS  ha.s  a  special  proof  command,  induct.  In  this  section  we  first 
present  a  simple  and  then  a  more  complicated  example  illustrating  this  type  of  induction. 


Example  7  Consider  for  example  the  state  delta  x.incr eases. sd\ 

[sd  pre :  ( .x  It  100) 
mod:  (x) 

post:  (#x  =  .X  +  1)] 

If,  at  some  point  in  a  proof,  x.incr  eases. sd  is  true  and  the  value  of  x  is  less  than  100,  then 
at  this  point  x.incr  eases. sd  is  not  only  true  but  applicable  as  well.  In  fact,  from  this  point 
on,  it  may  be  applied  repeatedly  until  the  value  of  x  reaches  100.  Of  course,  the  number  of 
times  that  it  must  be  appbed  for  x  to  reach  the  value  of  100  depends  on  the  initial  value 
of  X  itself.  We  will  illustrate  the  induct  command  by  giving  a  proof  of  the  state  delta 
inductionl.sd: 

[sd  pre:  (.x  le  0 ,formula(x . increases . sd) ) 
comod:  (all) 
mod:  (x) 

post:  (#x  =  100)] 

<sdvs.3>  init 

proof  name  []  :  <  CR> 

State  Delta  Verification  System,  Version  13 
Restricted  to  authorized  users  only. 


<sdvs .  1>  prove 


state  delta []  :  induction  1  .sd 
proof  □  :  <CR> 

open  —  [sd  pre:  (.x  le  0  ,forinula(x .  increases  .  sd) ) 
comod:  (all) 
mod:  (x) 

post :  (#x  =  100)] 
inserting  --  pcoveringCall ,x) 

Complete  the  proof. 

The  value  of  x  is  now  symbolic  and  less  than  or  equal  to  0.  In  fact,  let  us  give  a  name  to 
this  symbolic  value  by  using  a  useful  naming  device  in  SDVS,  the  let  command. 

<sdvs.l.l>  let 

new  variable:  a 
value :  .x 

let  --  a  =  .X 

It  should  be  pointed  out  that  the  name  of  the  “new  variable”  must  be  new  and  that  the 
value  assigned  to  it  must  be  a  term  of  type  precondition  (no  #  ’s).  For  example, 


<sdvs.l.2>  let 

new  variable:  b 

value:  2*,x 

let  --  b  =  2  *  .X 

<sdvs.l.3>  simp 

expression:  h=2*a 

true 

We  can  verify  that  a  is  the  current  value  of  x  and  list  its  range  of  possible  values: 

<sdvs.l.3>  ppeq 
expression: 

eqclass  =  a 

x\54 


<sdvs.l.3>  range 
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expression: 


.X 


Range  -infinity  . . ,  0 


The  state  delta  x.incr eases, sd  is  certainly  applicable: 

<sdvs  .  1 . 3>  applicable 

u(l)  [sd  pre:  (.x  It  100) 
mod:  (x) 

post:  (#x  =  .X  +  1)] 


We  are  now  ready  to  induct. 

<  sdvs  .  1 . 3  >  ind'uct 

induction  expression: 

i 

from: 

a 

to : 

100 

invariant  list[]: 

.x=i 

comodification  list[]: 

<CR> 

modification  list  []  : 

X 

base  proof  []  : 

<CR> 

step  proof  []  : 

<CR> 

induction  —  i  from  a  to  100 

open  —  [sd  pre:  (i  =  a) 
comod:  (all) 
post :  C .X  =  i)] 

Several  comments  are  in  order: 

(i)  We  are  inducting  from  i  =  a  to  i  =  100. 

(ii)  The  invariant  list  of  the  induct  command  must  be  true  now.  In  general,  the  invariant 
list  of  the  induction  command  is  a  precondition  formula  that  must  be  true  at  every 
step  of  the  induction,  but  not  necessarily  at  every  intermediate  state. 

(iii)  If  i  does  reach  100  and  the  invariant  list  is  true,  then  our  goal  will  also  be  true,  namely, 
the  value  of  x  must  then  be  100. 

(iv)  The  comodificafion  and  modification  lists  for  the  induct  command  must  be  disjoint. 

(v)  The  modification  list  to  the  induct  command  must  be  included  in  the  modification 
list  of  the  state  delta  to  be  proven. 
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Upon  the  invocation  of  the  induction  command,  SDVS  automatically  opens  the  proof  of  the 
base  case  state  delta  and  then,  upon  the  completion  of  this  proof,  the  proof  of  the  step  case 
state  delta.  The  base  case  proof  is  a  proof  that  if  i  is  equal  to  the  initial  value  of  .:r,  then 
the  invariant  is  true  now.  The  step  case  proof  is  the  proof  of  the  state  delta  that  asserts 
that  if  i  is  somewhere  between  the  specified  limits  of  the  range,  i.e.,  a  <  i  <  100,  and  the 
invariant  is  true  for  i,  then  there  is  a  future  time  when  the  invariant  will  be  true  for  i  +  1, 
and  in  the  meantime,  only  x  may  change  its  value.  Since  the  autoclose  flag  is  we  have 

to  close  the  base  case  proof. 

< sdvs  .  1 . 3 . 1 . 1  >  close 

close  —  0  steps/applications 

open  —  [sd  pre:  (i  ge  a,i  It  100,. x  =  i) 
mod:  (x) 

post:  (#x  =  i  +  1)] 

Complete  the  proof. 

The  proof  of  the  state  delta  that  was  automatically  opened  is  the  step  case  proof.  In  order 
to  comi)lete  this  proof,  we  have  to  advance  the  state,  and  this  can  be  done  only  by  applying 
xAncr eases. sd  (which,  of  course,  is  still  applicable): 

< sdvs  .  1 . 3 . 2 . 1  >  applicable 

u(l)  [sd  pre:  (.x  It  100) 
mod:  (x) 

post :  (#x  =  .X  +  1)] 


<sdvs  .  1 . 3 . 2 . 1  >  apply 

sd/number  [highest  applicable/once]  :  x. increases. sd 

apply  —  [sd  pre:  (.x  It  100) 
mod:  (x) 

post:  (#x  =  .X  +  1)] 


Let  us  look  at  the  proof  state  and  then  close  the  proof  by  induction: 


<sdvs  .1.3. 2 .2>  ps 
«  initial  state  >> 

proof  in  progress  of  inductionl . sd  <5> 
let  a  =  ,x  <4> 
let  b  =  2  *  .X  <3> 
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induction  in  progress  on  i  from  a  to  100  <2> 
base  case:  complete 
step  case:  in  progress 
apply  X.  increases  .sd  <1> 

-->  you  are  here 

<sdvs  .  1 . 3 . 2 . 2>  close 


close  —  1  steps/applications 


join  induction  cases 


[sd  pre:  (a  le  100) 
comod:  (all) 
mod:  (x) 

post:  (#x  =  100)] 


Complete  the  proof. 


Finally  SDVS  joins  the  two  proofs.  The  goaf  should  now  have  been  reached. 


<sdvs.l.4>  ppcq 
expression:  .x 

eqclass  =  100 


<sdvs.l.4>  close 
close  —  3  steps/applications 


Our  next  example  of  induction  in  SDVS  differs  from  the  last  one  in  that  the  invariant  list 
for  the  induction  and  the  comodification  and  modification  lists  is  more  complex. 


Example  8  Suppose  that  at  some  point  in  the  execution  of  a  program,  the  value  of  the 
program  variable  y  is  greater  than  or  equal  to  zero  and  the  program  segment  to  be  executed 


is  S: 


sum:=  x; 
ctr:=  0; 

while  (ctr  <  y)  loop 
sum:=  sum  +  1 ; 
ctr:=  ctr  +  1; 
end  loop; 
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At  the  end  of  the  execution  of  S,  the  value  of  sum  should  be  the  sum  of  the  initial  values 
of  X  and  y. 

The  loop  portion  of  S  cannot  be  translated  into  state  deltas  of  the  form  that  we  have  so 
far  discussed.  The  semantics  of  a  loop  requires  the  concept  of  a  circular  state  delta,  which 
is  defined  as  the  greatest  fixed  point  of  an  operator  on  predicates  and  is  beyond  the  scope 
of  this  tutorial.  But  for  another  illustration  of  induction,  we  collapse  the  two  assignment 
statements  of  the  loop  into  one  statement  and  translate  the  program  segment  S  as  the  fol¬ 
lowing  series  of  nested  state  deltas: 

assign. X. to. sum. sd: 

[sd  pre:  (true) 
comod:  (all) 
mod:  (sum) 

post:  (#smn  =  .x ,f ormula(assign.O . to . ctr. sd) )] 

assign. 0. to. ctr.sd: 

[sd  pre:  (true) 
comod:  (all) 
mod:  (ctr) 

post:  (#ctr  =  O.formuladoop.sd))] 
loop.sd: 

[sd  pre:  (.ctr  It  .y) 
comod:  (x,y) 
mod:  (sum, ctr) 

post:  (#sum  =  .sum  +  l,#ctr  =  .ctr  +  1)3 

The  first  two  state  deltas  are  assignment  statements  with  a  continuation.  But  loop.sd  is  the 
test  for  the  loop  (its  precondition)  and  the  collapsed  loop  body  itself  (its  postcondition). 
Note  that  it  is  the  only  state  delta  without  an  “all”  in  its  comodification  list.  When  this 
state  delta  first  becomes  true,  it  will  be  applicable  as  long  as  x  and  y  do  not  change  their 
values  and  as  long  as  the  precondition  is  true.  This  is  the  state  delta  that  will  allow  us  to 
proceed  with  the  induction. 

Finally,  the  state  delta  sum.sd 

[sd  pre:  (covering(all,x,y .ctr.sum) , .y  ge  O,formula(assign.x. to. sum.sd)) 
comod:  (all) 
mod:  (sum, ctr) 
post:  (#sum  =  .x  +  .y)] 


X  5  5  5 

y  3  3  3 

sum  sum(to)  5  5 

ctr  c.tr(to)  ctr(ti)  0 


3 

6 

1 


5 

3 

7 

2 


5 

3 

8 

3 


T  to  tj  t2  t3  t4  ts 


Figure  5:  A  Model  N  of  the  Precondition  of  sum.sd 

asserts  that  if  the  initial  value  of  y  is  greater  than  or  equal  to  zero,  a.nd  if  assign.x.to.sum 
is  true,  then  eventually  the  value  of  sum  will  he  equal  to  the  sum  of  the  initial  values  of  x 
and  y.  Furthermore,  because  of  its  modification  list,  in  that  interval  of  change  x  and  y  will 
remain  constant. 

For  an  example  of  a  model  N  of  the  precondition  of  the  state  delta  sum.sd,  refer  to  Figure 
5.  In  N  the  initial  values  of  x  and  y  are  5  and  3,  respectively.  The  value  of  sum  is  symbohc 
at  to,  and  the  value  of  ctr  is  symbolic  at  to  and  ti.  The  state  delta  assign. x. to. sum.sd 
is  applicable  (true  with  a  true  precondition)  at  to',  assign.O.to.ctr.sd  is  applicable  at  ti; 
and  loop.sd  is  applicable  a.t  t2,  to,  and  t^.  The  precondition  time  of  sum.sd  is  to,  and  its 
postcondition  time  is  tj. 

Let  us  open  the  proof  of  sum.sd,  check  the  synil)olic  values  of  x  and  y,  and  then  check  the 
goal  of  the  proof: 


<sdvs.3>  init 

proof  nanie[]  :  <CR> 

State  Delta  Verification  System,  Version  13 

Restricted  to  authorized  users  only. 

<sdvs.l>  prove 

state  delta []  :  sum.sd 
proof  []  :  <CR> 

open  —  [sd  pre:  (covering(all,x,y,ctr,sum) , .y  ge  0, 
f ormulaC assign. X .to . sum.sd) ) 
comod:  (all) 
mod:  (sum, ctr) 
post:  (#sum  =  .x  +  .y)] 

Complete  the  proof . 
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<sdvs.l.l>  ppl 

places  [all]  :  <  CR> 

X  x\62 

y  y\6i 

<sdvs.l.l>  goals 
g(l)  #sum  =  x\62  +  y\61 

We  now  nse  until  to  advance  through  the  first  two  a^ssigninent  statements: 

<sdvs.l.l>  laitil 
formula:  #ctr=0 

apply  —  [sd  pre:  (true) 
comod:  (all) 
mod:  (sum) 

post:  (#sum  =  .x,formula(assign.0.to.ctr.sd))] 

apply  —  [sd  pre:  (true) 
comod:  (all) 
mod:  (ctr) 

post:  (#ctr  =  O,formula(loop.sd))] 

imtil  break  point  reached  —  #ctr  =  0 

As  we  expected,  the  assignments  have  been  executed  and  the  goal  remains  the  same: 

<sdvs.l.3>  ppl 

places  [all]  :  <CR> 

sum  x\62 

everyplace  UNDEFINED 
ctr  0 
X  x\62 

y  y\6i 

<sdvs.l.3>  goals 
g(l)  #suin  =  x\62  +  y\61 

The  state  delta  loop.sd  is  now  usable  but  not  applicable  because  if  the  value  of  y  happens 
to  l)e  0,  then  its  precondition  is  not  true. 


<sdvs  .  1 . 3>  usable 


u(l)  [sd  pre:  ( . ctr  It  .y) 
comod:  (x,y) 
mod:  (sum, ctr) 

post:  (#sum  =  .sum  +  l,#ctr  =  .ctr  +  1)] 

No  usable  quantified  formulas. 

<sdvs  .  1 .3>  applicable 

<sdvs  .  1 . 3>  ivliynotapply 

state  delta [  highest  usable]  :  loop.sd 

Because  the  following  is  not  known  to  be  true  —  .ctr  It  .y 

We  are  thus  forced  to  do  cases  on  .ctr  >  ,y.  If  this  case  is  true,  then  y  —  0  and  our  goal  is 
trivially  true: 

<sdvs .  1 . 3>  cases 

case  predicate:  .ctr  (je  .y 

cases  .ctr  ge  .y 

open  --  [sd  pre:  (.ctr  ge  .y) 
comod:  (all) 
mod:  (sum, ctr) 
post:  (#sum  =  x\62  +  y\61)] 

< sdvs  .  1 . 3 . 1 . 1  >  close 

close  —  0  steps/applications 

open  --  [sd  pre:  ('(.ctr  ge  .y)) 
comod:  (all) 
mod:  (sum, ctr) 
post:  (#sum  =  x\62  +  y\61)] 

Complete  the  proof . 

SDVS  has  now  opened  the  case  of  .ctr  <  .y.  Since  this  is  the  precondition  of  loop.sd,  it  is 
now  applicable  and  we  use  it  in  our  induction. 

< sdvs  .  1 . 3 . 2 . 1  >  applicable 


u(2)  [sd  pre:  (.ctr  It  .y) 
comod:  (x,y) 
mod:  (sum, ctr) 

post:  (#sum  =  .sum  +  l,#ctr  =  .ctr  +  1)] 

In  this  example  the  \ise  of  the  induct  command  is  less  trivial,  A  little  thought  shows  that 
sum  =  X  +  ctr  is  true  at  the  current  state,  and  that  it  will  continue  to  be  true  after  each 
application  of  loop.sd.  Furthermore,  when  the  value  of  ctr  is  equal  to  the  value  of  y,  our 
goal  will  be  true.  It  follows  that  we  should  induct  from  .ctr  =  0  to  ,ctT  =  .y,  with  the 
invariant  being  .sum  =  .x  +  .ct7'.  The  comodification  list  should  consist  of  x  and  t/,  since 
they  must  remain  constant  during  the  induction,  and  the  modification  list  should  consist  of 
sum  and  ctr,  since  they  must  be  allowed  to  change.  Note  that  these  two  lists  are  disjoint, 
as  they  must  be.  So,  let  us  proceed  with  the  induction. 

<  sdvs  .  1 . 3 . 2 . 1  >  induct 

induction  expression:  .ctr 
from:  0 
to:  .y 

invariant  listC]:  .sum=.x-h^ctr 
comodification  list[]:  x^y 
modification  list[]:  sum, ctr 
base  proof  []  :  <CR> 
step  proof  []:  <CR> 

induction  --  .ctr  from  0  to  .y 

open  --  [sd  pre:  (true) 
comod:  (all) 

post:  (.sum  =  .x  +  .ctr,. ctr  =  0)] 

SDVS  has  opened  the  proof  of  the  base  case  which  is  trivially  true,  and  we  close  it. 
<sdvs.l.3.2.1.1.1>  close 

close  —  0  steps/applications 

open  --  [sd  pre:  (.ctr  ge  0,.ctr  It  .y,.sum  =  .x  +  .ctr) 
comod:  (x,y) 
mod:  (sum, ctr) 

post:  (#sum  =  #x  +  #ctr,#ctr  =  .ctr  +  1)] 

Complete  the  proof. 

For  the  step  case  proof,  the  invariant  is  assumed  to  be  true  now,  and  we  have  to  reach  the 
state  at  which  it  will  continue  to  be  true  and  the  value  of  ctr  will  be  incremented  by  1.  Let 


US  check  the  proof  state  at  this  juncture: 


<sdvs. 1 .3.2. 1 .2. 1>  ps 

<<  initial  state  >> 
proof  in  progress  of  stim.sd  <5> 
apply  (until  #ctr  =  0)  <4> 
apply  (until  ...)  <3> 

case  analysis  in  progress  on:  .ctr  ge  .y  or  “'(.ctr  ge  .y)  <2> 

1st  case:  complete 
2nd  case:  in  progress 

induction  in  progress  on  .ctr  from  0  to  .y  <1> 
base  case:  complete 
step  case:  in  progress 
—  >  you  are  here  <  — 

Since  at  this  state  ctr  <  and  x  and  y  have  remained  constant,  loop.sd  should  be  applicable; 

< sdvs  .1.3.2.1.2.1>  applicable 

u(l)  [sd  pre:  (.ctr  It  .y) 
comod:  (x,y) 
mod:  (sum, ctr) 

post:  (#sum  =  .sum  +  l,#ctr  =  .ctr  +  1)] 

Before  applying  this  state  delta,  let  us  check  the  symbolic  values  of  the  places  and  the  goal: 

<sdvs . 1 .3.2. 1 .2. 1>  ppl 
places  [all]  :  <  CR> 

sum  sirm\70 
everyplace  UNDEFINED 
ctr  ctr\69 
X  x\62 

y  y\6i 

<sdvs  .1.3.2.1.2.1>  (joals 

g(l)  #sum  =  #x  +  #ctr 
g(2)  #ctr  =  ctr\69  +  1 


Now  we  apply  loop.sd  and  check  the  symbolic  values  once  more: 
< sdvs  .1.3.2. 1,2. 1>  apply 
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sd/number [highest  applicable/once] :  loop.sd 


apply  --  [sd  pre: 

comod: 
mod : 
post : 


(.ctr  It  .y) 

(x,y) 

(sum, ctr) 

(#sum  =  .sum  +  l,#ctr  =  .ctr  +  1)] 


<sdvs .1.3.2.1.2.2>  ppl 
places  [all]:  <CR> 

sum  (1  +  x\62)  +  ctr\69 
everyplace  UNDEFINED 
ctr  1  +  ctr\69 
X  x\62 

y  y\6i 


The  values  of  sum  and  ctr  have  increased  by  one,  and  the  invariant  should  remain  true  for 
these  new  values. 

<sdvs  .1.3.2.1.2.2>  simp 
expression :  ,$um=.x-P.ctr 

true 


<sdvs  .1.3.2.1.2.2>  applicable 


<sdvs  .1.3.2.1.2.2>  close 


close  --  1  steps/applications 


join  induction  cases 


[sd  pre: 
comod : 
mod: 
post : 


(0  le  .y) 

(all,x,y) 

(sum, ctr) 

(#ctr  =  .y,#sum  =  #x  +  #y)] 


Complete  the  proof. 


SDVS  has  now  joined  the  two  case  of  the  induction  proof.  Let  us  check  the  proof  state: 

<sdvs.l.3.2.2>  ps 

«  initial  state  >> 

proof  in  progress  of  sum.sd  <5> 


apply  (until  #ctr  =  0)  <4> 
apply  (until  ...)  <3> 

case  cuialysis  in  progress  on:  .ctr  ge  .y  or  ''(.ctr  ge  .y)  <2> 
1st  case:  complete 
2nd  case:  in  progress 
proved  via  induction,  then  applied 
[sd  pre:  (0  le  .y) 
comod:  (all,x,y) 
mod:  (sum, ctr) 

post:  (#ctr  =  .y,#sum  =  #x  +  #y)]  <1> 

—  >  you  are  here  <  — 

The  goal  of  the  second  case  of  the  cases  true  has  now  been  reached. 

<sdvs  .  1 . 3 . 2 . 2>  simj) 

expression:  ,smn=.x-l-.y 

true 

We  thus  close  the  second  case  proof  and  then  the  proof  of  sum.sd  itself. 

<sdvs  .1.3.2. 2>  close 

close  —  1  steps/applications 

join  —  [sd  pre:  (true) 
comod:  (all) 
mod:  (sum, ctr) 
post:  (#sum  =  x\62  +  y\61)] 

close  —  3  steps/applications 

<sdvs.2>  ps 

<<  initial  state  >> 
proved  sum.sd  <1> 

*->  you  are  here  <  — 

<sdvs.2>  quit 

Q.E.D.  The  proof  for  this  session  is  in  'sdvsproof. 

State  Delta  Verification  System,  Version  13 
Restricted  to  authorized  users  only. 
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4  Declaration  of  Types 


In  our  previous  examples  we  did  not  declare  the  type  of  the  variables.  SDVS  assumed 
that  they  were  integers.  However,  it  is  possible  to  declare  explicitly  the  types  of  the  local 
variables  by  the  declare  statement.  The  SDVS  types  accepted  by  the  declare  statement 
may  be  listed  with  the  help  query: 


<sdvs.l>  help 

with [all] :  types 


<<<SDVS  Help>>>  Types  <<<SDVS  Help>>> 

type (boolean)  Boolean 

type (character)  Ada  characters 

type(bitstring,n)  bitstring  of  length  n 

type (polymorphic)  polymorphic  (any  type) 

type (fn, exp)  a  function  defined  by  the  expression  exp 

type(float)  floating  point 

type ( int  eger )  int  eger 

type (integer ,1b, ub)  bounded  integer,  that  is,  lb<=i<=ub 

type(array ,1b, ub, type)  array  with  lower  bound  lb,  upper  bound  ub,  and 

specified  element  type 

type(record,f ieldl(typel) , . . . ,f ieldj (typej))  record  with  field  names  of 

specified  types 

type (time)  VHDL  time 
type (waveform)  VHDL  waveform 
type(integerwavef orm)  VHDL  integer  waveform 
type(bitwavef orm)  VHDL  bit  waveform 

type(bitstringwaveform,n)  VHDL  bitstring  (length  n)  waveform 
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The  last  five  ty])es  are  peculiar  to  VHDL.  The  “record,”  “character,”  and  “float”  types  are 
for  Ada,  and  the  bitstring  type  is  for  ISPS  and  VHDL.  If  a  is  an  array,  then  origin(a) 
is  its  initial  index,  raiigc^a)  is  its  length,  and  for  i  and  j  such  that  origini^a)  ^  i  j  ^ 
{^OTigiTi(^(i)  -b  T(inge(^u^^,  ci[z  y]  is  the  slice  (subarray)  of  ci  from  the  i  th  to  the  j  th  index. 
If  b  is  a  bitstring,  then  lh(b)  is  the  length  of  6,  the  zeroth  bit  is  the  low-order  bit,  and  the 
lh{b)  -  1  bit  is  the  high-order  bit.  The  integer  value  of  b  is  denoted  by  |6|.  If  i  and  j  are 
such  that  0  <  i  and  0  <  t  <  2^  -  1,  then  i{j)  is  the  bitstring  of  length  j  and  integer  value 
i.  Thus,  if  b  =  10(4),  then  b  =<  1010  >.  If  0  <  z  <  y  <  lh(b)  -  1,  then  6  <  y  :  z  >  is  the 
substring  of  b  of  length  y  -  z  -f  1  whose  bits  are  the  bits  of  b  from  the  z’th  to  the  y ’th  bit. 
Some  bitstring  operations  are  addition  (++),  sulztraction  (-),  multiplication  (**),  bitstring 
“or”  (usor),  bitstring  “and”  (&&),  and  concatenation  (@).  Some  bitstring  inequabties  are; 
“uslt,”  “lisle,”  “usgt,”  and  “usge”  (the  “us”  prefix  means  unsigned).  Here  is  an  example 
of  a  few  declarations: 

<sdvs.l>  pp 
ob j  ect :  sd 

state  delta  name:  types. sd 

[sd  pre :  (declare(a,type(array,-l,5,type(integer))) , 

decl are (ab it .type (array , 1 , 10 , type(bitstring ,4) ) ) , 
declare(p,type(boolean) ) ,declare(q,type(boolean) ) , 
declare (r, type (boolean)) ,declare(cbit .type (bitstring, 6)) , 
covering(all,a,abit,p,q,r) , .p.'.q, .r, .a[l]  =  2,.a[2]  =  100, 

.abit[l]  =  9(4),.abit[2]  =  8(4) . .  abit  [3]  =  7(4), 

.cbit  =  12(6)) 
comod:  (all) 
mod:  (p.q) 
post:  (#q)] 

Note  that  the  initial  vzilues  of  abzt[l],  abit\2],  and  abit[3]  are  <  1001  >,  <  1000  >,  and 
<  0111  >,  respectively.  Also,  initially,  p  and  r  are  true,  and  q  is  fa.lse.  The  above  state 
delta  is,  of  course,  not  provable,  but  if  we  open  its  proof  we  can  then  use  the  simplifier  to 
illustrate  some  notation: 

<sdvs.l>  pTOVC 

state  delta  []  :  types. sd 
proof  []  :  <  CR> 

open —  [sd  pre:  (declare(a,type(array,-l,5,type(integer))) , 

declare (abit .type (array ,1,10, type (bitstring ,4) ) ) , 
declare (p .type (boolean) ) ,declare(q,type(boolean) ) , 
declare(r,type(boolean)) , 
declare (cbit, type (bitstring, 6) ) , 

covering(all, a, abit, p, q, r) , .p.'.q, .r, .a[l]  =  2, 

.a[2]  =  100,.abit[l]  =  9(4) ,. abit  [2]  =  8(4), 
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.abit[3]  =  7(4),.cbit  =  12(6)) 
comod:  (all) 
mod:  (p,q) 
post:  (#q)] 

inserting  —  pcovering(all,cbit) 

Complete  the  proof. 


<sdvs  .  1 . 1>  simp 
expression:  ,q 

false 

<sdvs  .  1 . 1>  simp 

expression:  .q  implies  (.p  and  .r) 

true 

<sdvs  .  1 . 1>  simp 

expression:  .q  or  (.q  implies  (.p  and  .r)) 
true 

<sdvs  .  1 . 1>  simp 

expression:  .a[I]-h.a[2] 

102 


<sdvs  .  1 . 1>  svnp 

expr  e  s  s  ion :  orujin  (a) 


-1 

<sdvs  .  1 . 1>  sunp 

expr  e  s  s  ion :  range  (a) 


7 

<sdvs  .  1 . 1>  simp 

expression:  range(a[2:3]) 


2 

<sdvs  .  1 . 1>  simp 


71 


expression :  .a[2:3][2] 

100 

<sdvs  .  1 . 1>  simp 

expression :  \.ahit[2]\ 


8 

<sdvs  .  1 . 1>  simp 

expression :  .abit[2] 

8(4) 

<sdvs  .  1 . 1>  simp 

expression:  Ih(.chit) 


6 

<sdvs  .  1 . 1  >  simp 

expression :  ,(il)it[l]+-h.ahit[2] 

17(5) 

<sdvs  .  1 .  1>  simp 

expression :  .cbit<2:0> 

4(3) 

<sdvs  .  1 .  i>  simp 

expression :  .c:bit<3:3> 

1(1) 

<sdvs  .  1 . 1>  simp 

expression:  .abitfl]  usor  Mbit[2] 

9(4) 

<sdvs .  1 . 1>  simp 

expression:  .abit[l]  @  .(ibit[2] 


152(8) 


5  Quantification  in  SDVS 


Qiiantification  and  proof  rules  involving  quantifiers  have  been  implemented  in  SDVS,  but 
not  in  a  very  general  way.  The  universal  quantifier  V  is  “forall”  and  the  existential  quantifier 
3  is  “exists.”  Both  of  these  quantifiers  may  be  used,  untyped,  over  values  of  program 
variables  (places),  but  only  the  existential  quantifier  may  be  used  over  the  program  variables 
themselves.  In  this  section  we  illustrate  two  of  the  most  important  quantification  proof  rules, 
instantiate,  and  provebyinstantiation,  by  using  a  simple  example. 


Example  9  Consider  the  state  delta  quant. sd 

[sd  pre :  (declare (a, type (array ,1,10 , type (integer) ) ) , 
forall  i  (1  le  i  &  i  le  10  .a[i]  =  1), 

exists  j  ((1  le  j  &  j  le  10)  &  formula (increase . aj . sd) ) ) 
comod:  (all) 
mod:  (all) 

post:  (exists  k  (#a[k]  =  3))] 

where  increase. a j.^d  is  the  state  delta 

[sd  pre:  (true) 
mod:  (a[j]) 

post:  (#a[j]  =  .a[j]  +  1)] 

The  precondition  of  quant.sds  declares  a  to  be  an  array  variable  of  ten  integers  such  that, 
initially,  all  the  indexed  values  of  a  are  equal  to  1.  It  also  asserts  that  for  some  index  j  in 
the  range  of  indices  of  a,  increase. a j.sd  is  initially  true.  Because  the  comodification  list  of 
increase. a j.sd  is  the  empty  list,  increase. a j.sd  asserts  that  from  now  on,  for  this  index  j 
and  for  whatever  value  a[j]  has,  there  will  be  a  future  time  when  this  value  will  increase  by 
1.  Thus,  quant.sd  asserts  that  if  its  precondition  is  now  true,  then  there  will  be  a  time  in 
the  future  at  which  the  value  of  some  a{k]  will  be  equal  to  3.  Of  coiirse,  one  of  these  A:’s 
wiU  be  j. 

The  proof  of  quant..$d  requires  both  of  the  quantification  proof  rules  mentioned  above; 
moreover,  it  requires  the  use  of  instantiate  in  two  different  contexts. 

<sdvs.l>  prove 

state  delta □  :  quant.sd 
proof  []  :  <  CR> 

open  —  [sd  pre:  (declare(a,type(array , 1 , 10,type(integer) ) ) , 
forall  i  (1  le  i  &  i  le  10  — >  .a[i]  =  1), 
exists  j  ((1  le  j  &  j  le  10)  & 


73 


formula (increase . aj . sd) ) ) 


comod:  (all) 
mod:  (all) 

post:  (exists  k  (#a[k]  =  3))] 

Complete  the  proof. 

<sdvs  .  1 . 1>  setficKj 

flag  variable:  autoclose 
on  or  off  [on]  :  off 

setflag  autoclose  --  off 

<  s  d V s  .  1 . 2  >  usa  hie 
No  usable  state  deltas. 


q(l)  exists  j  ((1  le  j  &  j  le  10)  k, 

([sd  pre:  (true) 
mod:  (a[j]) 

post:  (#a[j]  =  .a[j]  +  1)])) 
q(2)  forall  i  (1  le  i  &  i  le  10  — >  .a[i]  =  1) 

<sdvs  .  1 .2>  goals 
g(l)  exists  k  (#a[k]  =  3) 

Notice  that  the  query  usable  lists  two  quantified  statements,  one  of  which  involves  the  state 
delta  increase,aj.scf  and  that  the  goal  of  the  proof  is  an  existentially  quantified  statement. 
The  quantified  assertion  ^y(l)  can  not  be  applied  because  it  is  not  a  state  delta:  we  must 
first  instantiate  the  j  in  q{l)  by  some  varialfie  that  has  not  appeared  outside  of  ^(1);  in 
fact,  we  will  use  j  itself  for  the  substitution.  (This  technique  is  similar  to  a  technique  in 
predicate  logic  that  consists  of  substituting  a  new  constant  in  a  formula  for  an  existentially 
quantified  variable  of  the  formula).  The  prooi  command  instantiate  allows  us  to  perform 
this  substitution  and  delete  the  existential  quantifier  from  (y(l).  Note  that,  in  this  case,  we 
are  “instantiating”  a  usable  formula  to  remove  the  existential  quantifier.  Later  in  the  proof, 
we  will  use  instantiate  to  prove  the  existentially  quantified  goal. 

<sdvs  .  1 . 2>  instantiate 

existential  formula:  q 
number:  1 
existential  variable  []:  j 
instantiated  by:  j 
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existential  variable []:  <CR> 


instantiate  in  q(l)  —  j  for  j. 


< sdvs  .  1 . 3 >  usable 


u(l)  [sd  pre:  (true) 
mod:  (aCj]) 

post:  (#aCj]  =  .a[j]  +  1)] 


q(l)  exists  j  ((1  le  j  &  j  le  10)  & 

([sd  pre:  (true) 
mod:  (a[j]) 

post:  (#a[j]  =  .a[j]  +  1)])) 
q(2)  forall  i  (1  le  i  &  i  le  10  — >  .a[i]  =  1) 

In  this  case  the  i)aiameters  to  the  instantiate  c.oiiimand  are  the  usable  existential  formula 
q{l),  the  existential  variable,  and  the  variable  Ijy  which  it  will  l)e  replaced  in  the  matrix  of 
(/(I),  followed  by  a  carriage  return  to  the  last  (jnery. 

If  the  formula.  ^  to  l)e  instantiated  has  a  series  of  existential  variables  in  its  prefix,  i.e.,  if  4>  is 
of  the  form  (3xiJ(3:j:;2) . .  .(33:i„)V’?  only  one  invocation  of  the  instantiate  command 
is  needed  to  instantiate  aU  of  the  a;,’s.  The  parameters  to  the  instantiate  command  would 
be  the  formula  to  I>e  instantiated,  followed  by  the  first  existential  variable  and  the  variable 
by  which  it  will  be  replaced,  followed  by  the  second  existential  variable  and  the  variable  by 
which  it  will  be  replaced,  etc.  The  input  to  the  command  terminates  with  a  carriage  return 
to  the  query  “existential  variable[]”. 

Note  that  the  instantiated  formula  increase. a j.sd  is  now  usable  and,  of  course,  apphcable. 
We  will  apply  it  twice.  But  first  we.  must  establish  that,  at  this  point,  a[j]  =  1.  This  follows 
logically  from  q{2),  but  SDVS  is  not  automatically  aware  of  it.  It  may  be  established  by  the 
provebyinstantiation  command.  If  in  the  course  of  a  proof  a  formula  of  the  form  {\/x)(f>(x) 
is  usable,  provebyinstantiation  may  be  used  to  assert  <l>{c/x),  for  any  term  c.  More 
generally,  if  (Va:,^  ) . . .  (Va:,,,  )</>  is  usable,  then  one  invocation  of  provebyinstantiation 

suffices  to  as.sert 

<sdvs  .  1 . 3>  provebyinstantiation 

prove  formnla[]:  M[j]=l 
using  universal  formula:  q 
number :  2 

universal  variable  []:  i 
instantiated  by:  j 
universal  variable []:  <CR> 
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provebyinstantiation  —  a\88  -  1 


<sdvs  .  1 .4>  simp 
expression:  .a[j] 


1 


Before  we  proceed,  we  should  note  that  we  could  not  have  switched  the  last  two  proof 
commands.  If  we  had  first  asserted  that  a[j]  =  1  and  then  tried  to  instantiate,  an  error 
would  have  occurred  in  the  instantiation,  since  at  that  point  j  would  have  already  been 
used.  If  we  apply  increase, a j.sd  twice,  we  will  reach  the  state  at  which  our  goal  is  true. 


<sdvs  .  1 .4>  apply 

sd/number [highest  applicable/once] :  2 


apply  —  [sd  pre:  (true) 
mod:  (a[j]) 
post:  (#a[j3 


.a[j]  ^  1)] 


apply 


[sd  pre:  (true) 
mod:  (a[j]) 

post:  (#a[j]  =  .a[j]  +  1)] 


<sdvs.l.6>  ps 

<<  initial  state  >> 
proof  in  progress  of  quant,  sd  <6> 
autoclose  flag  turned  off  <5> 
instantiate  j  for  j  in  q(l)  <4> 
provebyinstantiation  .a[j]  =  1  <3> 
apply  <2> 
apply  <1> 

-->  you  are  here  <-- 


<sdvs  .  1 .6>  simp 
expression:  .a[j] 

3 

So  our  goal  is  true,  but  again  SDVS  does  not  automatically  know  that  a[j]  =  3  implies  that 
(3fc)(a[A:]  =  3). 
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<sdvs  .  1 . 6>  xvliynotgoal 
simplify?  [no]  :  <  CR> 

g(l)  exists  k  (#aCk]  =  3) 

We  must  prove  this  through  another  invocation  of  the  instantiate  command,  where  this 
time  the  existentially  quantified  formula  is  not  a  usable  formula  but  a  goal.  If  {3x)<f>(x)  is 
a  goal  and  we  invoke  instantiate  with  this  goal  as  the  existentially  quantified  formula,  x 
as  the  existential  varial)le,  and  c  as  the  term  to  be  siibstituted  in  0  for  x^  then  the  goal 
becomes  (j)(c/x). 

<sdvs  .  1 .6>  instantiate 

existential  formula:  g 
number:  1 
existential  variable []  :  k 
instantiated  by:  j 
existential  variable []  :  <CR> 

instantiate  in  goal  1  --  j  for  k. 

<sdvs .  1 .7>  goals 
g(l)  #aCj]  =  3 

SDVS  knows  that  this  goal  is  true;  so  we  close  the  proof  and  quit: 

< sdvs  .  1 . 7 >  close 
close  —  6  steps/applications 
<sdvs.2>  gxiit 

Q.E.D.  The  proof  for  this  session  is  in  'sdvsproof^. 

State  Delta  Verification  System,  Version  13 
Restricted  to  authorized  users  only. 

<sdvs.l>  pp 
object:  proof 
proof  name :  sdvs  proof 

proof  sdvsproof : 


prove  quant. sd 
proof : 

(setflag  autoclose  off, 
instantiate  (j=j)  in  q(l), 
provebyinstantiation  . a[j] 
using:  q(2) 
substitutions :  (i=j ) , 
apply  2, 

instantiate  (k=j)  in  g(l), 
close) 


6  Static  Proofs 


In  actual  practice  the  most  difficult  and  time-consuming  parts  of  a  proof  of  program  cor¬ 
rectness  in  SDVS  are  not  the  dynamic  l)ut  rather  the  sta.tic  parts  of  the  proof,  that  is,  those 
parts  of  the  proof  that  require  the  proof  of  a  nonteinporal  formula  that  the  simplifier  does 
not  automatically  know  to  be  true. 

The  reason  for  this  is  that  complete  decision  procedures  have  been  implemented  in  the 
simplifier  for  only  certain  theories  over  the  SDVS  domains. 

For  example,  complete  decision  procedures  have  been  implemented  for  propositional  logic 
and  for  quantifier-free  formulas  for  integer  and  bitstring  arithmetic  with  addition,  but  not 
for  integer  or  bitstring  arithmetic  that  involves  multiplication  or  for  integer  arithmetic  that 
involves  the  absohite- value  function  and  the  integer  logarithmic  function  to  the  base  2.  A 
few  facts  are  known  by  the  simplifier  about  these  operations,  but  certainly  not  aU.  For 
example,  the  simplifier  knows^i  that  the  following  statements  axe  true: 


<sdvs .  1>  simp 

expression :  x-l-y=y-hx 

true 

<sdvs.l>  simp 

expression :  2'^'x=x''^2 

true 

<sdvs.l>  simp 

expression :  3*(x-i-y-2*z)=3*y-6*z-h3*x 

true 

<sdvs.l>  simp 

expression:  a  It  0  implies  abs((i)=-a 
true 

<sdvs .  1>  simp 

expr e  s  s  i on :  a  (je  0  implies  a bs  (a)= a 
true 

<sdvs.l>  simp 

“knows”,  we  mean  that  the  statement  in  question  is  automatically  derivable  from  the  current  state 
by  the  simplifier. 
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expression:  i  le  127  and  j  le  127  and  a=i(7)  and  b=j(7)  implies  \a-h-th\^\h-t’i-a\ 
true 

But  it  does  not  automatically  know  that  these  are  also  true: 

<sdvs.l>  simp 

expression:  x*y=y*x 

X  *  y  =  y  *  X 

<sdvs.l>  simp 

expression:  x*(x-h2)=x*x+2'^x 

x*(2  +  x)=2*x  +  x*x 

<sdvs.l>  simp 

expression:  abs(a-b)=abs(b-a) 

abs(a  -  b)  =  abs(b  -  a) 

<sdvs.l>  simp 

expression:  i  le  127  and  j  le  127  and  a=i(7)  and  b=j(7)  implies  \a**b\=\b^*a\ 

i  le  127  &  (j  le  127  &  (a  =  i(7)  &  b  =  j(7))) 

—  >  |a  **  b|  =  |b  **  a| 

The  latter  proi)ositioiis  must  be  proved  in  the  larger  context  of  a  proof  of  a  state  delta, 
by  invoking  the  appropriate  SDVS  axioms.  Alternatively,  the  user  may  create  and  prove 
a  lemma  and  then  apply  it  in  the  course  of  a  larger  proof.  This  alternative  is  especially 
usefxil  if  the  lemma  is  required  at  more  than  one  i)oint  in  a  proof.  It  is  even  possible  for  a 
lemma  to  be  created  and  used  in  the  proof  of  a  state  delta  and  the  proof  of  the  lemma  to 
be  deferred  for  a  later  time.  At  the  end  of  the  proof  of  a  state  delta  (after  a  quit),  SDVS 
will  inform  the  user  of  those  lemmas  that  were  used  but  not  proved  prior  to  the  proof. 

SDVS  axioms  are  invoked  by  means  of  the  rewritebyaxiom  and  provebyaxiom  com¬ 
mands.  Before  an  axiom  name  is  entered  as  a  parameter  to  these  proof  commands,  the 
SDVS  axiom  file  that  contains  it  must  first  be  read  by  the  read  command.  The  SDVS 
axiom  files  may  be  listed  by  the  help  command: 

<sdvs.l>  help 

with [all]  :  axioms 


<<<SDVS  Help>>>  Axioms  <<<SDVS  Help>>> 
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axioms/abs . axioms  integer  absolute  value 
axioms/arraycoverings . axioms  arrays  and  coverings 
axioms/arrays. axioms  0-origin  arrays  (obsolete) 
axioms/bitstring . axioms  bit strings 
axioms/div. axioms  integer  division 
axioms/exp . axioms  integer  exponentiation 
axioms/idiv . axioms  unsigned  integer  division 
axioms/lastone. axioms  the  LAST. ONE  bitstring  function 
axioms/log2. axioms  integer  log  base  2 
axioms/minmax .  axioms  integer  min  and  max 
axioms/mod. axioms  integer  modulus 
axioms /mult .axioms  integer  multiplication 
axioms/origin-arrays . axioms  arbitrary-origin  arrays 
axioms/quant .axioms  quantification 
axioms /rem . axioms  integer  remainder 
axioms /sqrt . axioms  integer  square  root 

They  may  be  read: 

<sdvs.l>  read 

path  name[tutorial/example2]  :  axurjas/inxiltjixioms 

Definitions  read  from  file  " axioms /mult . axioms" 

—  (multO ,mult 1 ,multcommute ,multassoc ,multdistributeplus , 

multdistributeminus ,multminus,multsquaregeO,multgeO,multleO,multge, 
multgtO ,multltO ,multgt) 

<sdvs.2>  read 

path  name  [axioms/mult .  axioms]  :  axioms/ ah $. axioms 
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Definitions  read  from  file  "axioms/abs . axioms" 

—  ( abs \neg , abs \pos ) 

<sdvs.3>  read 

path  name  [axioms/abs .  axioms]  :  axioms /exp  .axioms 

Definitions  read  from  file  " axioms /exp . axioms" 

--  (el , e2 , e3 , e4 , e5 , e6 , e7 , expmult , expdiv , e8 , e9 , elO , ell , expabsval , 
multeqsquare) 

Each  axiom  that  has  l)een  read  may  be  pretty-printed: 

<sdvs.4>  pp 

object:  axiom 

axiom  name :  imdidistrihuteplus 

axiom  multdistributeplus  (x,y,z): 

x*(y+2)=x^y+x*z 

A  list  of  the  current  axioms  (i-e.,  the  axioms  that  have  been  read  in  the  current  session, 
that  contain  a  specific  function  or  predicate  syml)ol)  may  also  be  displayed  with  the  pp 
command.  The  ^^syml^ol”  that  is  entered  as  a  parameter  to  the  pp  command  must  be 
the  simplifier  name  for  that  symbol.  The  simplifier  symbols  may  be  listed  with  the  help 
command: 

<sdvs.4>  help 

with  [all]  :  symbols 


<<<SDVS  Help>>>  Symbols  used  in  Axioms  and  Lemmas  <<<SDVS  Help>>> 

constants  everyplace,  emptyplace,  emptyarray,  true,  false 

functions  mkarray,  val,  inert ial_updat e ,  transport_update ,  transaction, 

waveform,  abs,  mod,  rem,  div  (/),  min,  max,  expt  (  ),  mult  (*) , 
minus  (-),  plus  (+),  parity,  lastone,  ones,  zeros,  useqv, 
usnor,  usnand,  usxor,  usor,  usand  (&&)  ,  usnot  usremainder 

(usmod) ,  usquotient  (//) ,  ustimes  (**)  ,  usdifference  ( — ), 
usplus  (++) ,  usgeq  (usge) ,  usgtr  (usgt) ,  usleq  (usle) ,  uslss 
(uslt) ,  usneq  ("==),  useql  (==) ,  usconc  (§) ,  ussub,  bcons,  bs , 
usval,  Ih,  aconc,  element,  origin,  range,  slice,  union,  dif f , 
vhdltime,  timeglobal,  timedelta,  timeplus,  tcval 

predicates  timege,  timegt,  timele,  timelt,  vhdltimep,  sd-value.  It,  le. 


gt,  ge,  alldisjoint ,  pcovering,  covering,  disj oint array ,  Ihp, 
usvalp,  elt,  ele,  egt,  ege,  esucc,  epred,  cond,  and  (&) ,  or, 
xor,  implies  ( —  >),  not  (“),  eq  (=) ,  neq  ("=)  ,  distinct, 
preemption,  waveformp 

Here  is  a  list  of  the  current  axioms  with  the  “minus’’  function: 

<sdvs.4>  pp 

object:  axioms 
axiom  names  []  :  <  CR> 

with  symbols  []:  minus 

axiom  expabsval  (a,b,c):  ((b  ge  a  &  a  ge  -b)  &  b  ge  0)  &  c  ge  1 

—  >  b  ''  c  ge  a  c 

axiom  expdiv  (a,k):  kgel  — >a''(k-l)=a‘'k/a 
axiom  expmult  (a,k):  k  ge  1  — >  a"k=a*a''  (k-1) 
axiom  abs\neg  (x)  :  x  It  0  — >  abs(x)  =  -x 
axiom  multminus  (x,y):  (-x)  *  y  =  -(x  *  y) 

axiom  multdistributeminus  (x,y,z):  x*(y-z)=x*y“x*z 

The  pp  command  may  also  be  used  to  display  the  current  axioms  that  contain  a  list  of 

specified  symbols.  Here  is  how  to  hst  the  current  axioms  in  which  both  and  appear: 

<sdvs.4>  pp 

obj  ect :  axioms 

axiom  names  []  :  <CR> 

with  symbols  []:  expt, minus 

axiom  expabsval  (a,b,c):  ((b  ge  a  &  a  ge  ^b)  &  b  ge  0)  &  c  ge  1 

-->  b  ''  c  ge  a  c 

axiom  expdiv  (a,k):  k  ge  1  — >  a"(k-l)=a^k/a 
axiom  expmult  (a,k)  :  k  ge  1  — >  a"k=a*a^  (k-*!) 

Furthermore,  there  is  a  command  to  delete  all  or  some  of  the  current  axioms: 

<  sdvs  .  4>  dcleteaxioms 

axiom  names  [all]  :  <CR> 


deleteaxioms  --  (elO , e9 , e7 , e6 , el , mult gt , mult It 0 ,multgtO , expabsval , el 1 , e8 , 
e2 ,multge ,multleO ,multgeO ,multsquaregeO ,multeqsquare , 
expdiv , expmult , e5 , e4 , e3 , abs\pos , abs\neg ,multminus , 
multdistributeminus ,multdistributeplus ,multassoc, 
mult commute, mult 1 ,multO) 


6.1  Invoking  SDVS  Axioms 


Example  10  In  this  example  we  prove  a  simple  iiiathematical  formula,  due  to  Gauss,  that 
is  translated  as  a  state  delta  loop.  The  formula  states  that  the  sum  of  the  first  n  positive 
integers  is  equal  to  'u('n  +  l)/2  ,  i.e.,  +  l)/2.  To  simplify  matters  we  prove  the 

equivalent  assertion  2  *  Ya-i  i  -  n{n  +1). 

The  sum  can  be  calculated  l)y  a  “while”  loop.  One  interpretation  of  the  formula  is  given 
by  the  state  delta  gauss. sd 

[sd  pre:  (covering(all , i , sigma) i  =  l,n  ge  1,. sigma  =  1, 
f ormulaCgaussloop . sd) ) 
comod :  (all) 
mod:  (i, sigma) 

post:  (2  *  #sigma  =  n  *  (n  +  l),#i  =  n)] 

where  gaussloop.sd  is  the  state  delta 

[sd  pre:  ( .i  It  n) 
mod:  (sigma, i) 

post:  (#i  =  .i  +  l,#sigma  =  .sigma  +  #i)] 

Not  surprisingly,  the  SDVS  proof  of  gauss.sd  mirrors  the  standard  proof  by  induction  of 
the  formula. 

<sdvs.4>  init 

proof  name[]  :  <CR> 

State  Delta  Verification  System,  Version  13 

Restricted  to  authorized  users  only. 

<sdvs.l>  setflxig 

flag  variable:  autoclose 
on  or  off  [on]  :  ojf 
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setflag  autoclose  --  off 


<sdvs.2>  prove 

state  delta []  :  gauss. sd 
proof  []  :  <  CR> 

open  —  [sd  pre:  (covering(all , i , sigma) i  =  l,n  ge  1,. sigma  =  1, 
f ormulaCgaussloop . sd) ) 
comod:  (all) 
mod:  (i, sigma) 

post:  (2  *  #sigma  =  n  *  (n  +  l),#i  =  n)] 

Complete  the  proof. 

< s dvs  .  2 . 1  >  ind'uct 

induction  expression:  .i 
from :  1 

to :  n 

invariant  list[]:  2"^'. sigmas. 
comodification  list[]:  <CR> 
modification  list[]:  i, sigma 
base  proof  []:  <CR> 
step  proof  []:  <CR> 

induction  —  .i  from  1  to  n 

open  —  [sd  pre:  (true) 
comod:  (all) 

post:  (2  *  .sigma  =  .i  *  (,i  +  l),.i  =  1)] 

<sdvs  .  2 . 1 . 1 . 1  >  close 

close  —  0  steps/applications 

open  —  [sd  pre:  (.i  ge  l,.i  It  n, 

2  *  .sigma  =.i*(.i+l)) 
mod:  (i, sigma) 

post:  (2  ♦  #sigma  =  #i  *  (#i  +  l),#i  =  .i  +  1)] 

Complete  the  proof . 

SDVS  has  opened  the  step  case  of  the  induction  proof.  The  precondition  of  the  step  case 
state  delta  is  the  assumption  that  the  formula  is  true  for  and  the  postcondition  is  the 
assertion  that  the  formula  is  true  for  A  +  1.  If  a  decision  procedure  for  multiplication  of 
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integers  had  been  implemented  in  the  simplifier,  then  an  application  of  the  applicable  state 
delta  (jaussloop.sd  would  close  the  proof.  But  as  we  have  pointed  out,  this  is  not  the  case: 
we  will  have  to  “read”  and  use  the  SDVS  axioms  for  integer  multiplication. 

For  a  clear  analysis  of  our  strategy,  we  simplify  matters  by  first  naming  the  current  values  of 
i  and  sigma,  since,  after  the  application  oi gaussloop.sd,  these  values  will  change.  (Actually, 
these  values  have  a  syml)ohc  representation  that  will  not  be  erased  by  the  application  of 
gaussloop.sd,  but  it  is  more  elegant  to  give  them  names.) 

<sdvs.2.1.2.1>  let 
new  variable:  oldi 
value:  A 

let  --  oldi  =  .i 

<sdvs  .  2 . 1 . 2 . 2>  let 

new  variable:  oldsigma 
value:  .sigma 

let  oldsigma  =  .sigma 

<  sdvs . 2 . 1 . 2 . 3  >  ppeq 
expression:  .i 

eqclass  =  oldi 
i\101 

<sdvs  .  2 . 1 . 2 . 3>  ppeq 
expression:  .sigma 

eqclass  =  oldsigma 
sigma\l02 

<sdvs  .2.1.2. 3>  apply 

sd/number  [highest  applicable/once]  ;  gaussloop.sd 

apply  [sd  pre:  (.i  It  n) 
mod:  (sigma, i) 

post:  (#i  =  .i  +  l,#sigma  =  .sigma  +  #i)] 

At  this  point,  the  simplifier  should  know  that  the  following  equahties  are  true: 

EQ  1:  2  *  oldsigma.  =  oldi  *  [oldi  +1) 

EQ  2:  A  =  oldi  +  1 
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EQ  3:  .sigma  =  oldsigma  +  {oldi  +  1) 


Furthermore,  the  current  goal 


2  *  .sigma,  =  .i  *  (.z  +  1) 
is  known  by  SDVS  as  the  equivalent  equation 

E  :  2  *  (oldsigma  +  {oldi  +  1))  =  {oldi  +  1)  *  [oldi  +  2) 

Let  us  verify  these  assertions: 

< sdvs  .  2 . 1 . 2 . 4>  simp 

expression :  2'^'oldsig7im=oldi*  (oldi-h  1 ) 

true 

<sdvs  .  2 . 1 . 2 . 4>  simp 
expression:  .i=oldi+l 

true 

<sdvs  .2 . 1 . 2 .4>  .S'zmp 

expression :  .sigvia=old$igmai-(oldi-hI ) 

true 

<sdvs  .2 . 1 . 2 .4>  whynotgoal 
simplify? [no]  :  yes 

g(l)  2  *  ((1  +  oldi)  +  oldsigma)  =  (1  +  oldi)  ♦  (2  +  oldi) 

If  we  substitute  the  right-hand  side  of  EQ  1  for  the  term  2  *  oldsigma  in  equation  E  and 
expand  the  terms  oldi  +  {oldi  +  1)  and  {oldi  +  1)  *  {oldi  +  2),  we  see  that  this  new  equation 
£1  is  ill  fact  true.  Yet  the  simplifier  does  not  know  the  goal  to  l)e  true: 


<sdvs  .2.1. 2 .4>  whynotgoal 
simplify?  [no]  :  <  CR> 

g(l)  2  *  #sigma  =  #i  *  (#i  +  1) 

The  reason  that  SDVS  does  not  know  that  the  goal  is  true  is  that,  although  the  substi¬ 
tution  is  done  automatically,  the  expansions  are  not,  and  the  simplifier  does  not  know 
automatically  that  the  expansions  are  true: 
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<sdvs  .2.1.2 . 4>  simp 

expression :  oldi*( oldi~j~l ) =oldi*  oldi-f-oldi 

2  ♦  oldsigma  =  oldi  +  oldi  *  oldi 

<sdvs  .  2 . 1 . 2 , 4>  simp 

expression:  (oldi-hl )  *  (oldi-h2)  =oldi*  oldi-j-  3'^oldi-i-2 
(1  +  oldi)  *  (2  +  oldi)  =  (2  +  oldi  *  oldi)  +  3  *  oldi 

This  is  why  we  must  use  the  SDVS  integer-multiplication  axioms.  But  first,  let  us  dump 
our  partial  proof  so  that  we  may  use  it  in  the  next  example: 

<  sdvs  .  2 . 1 . 2 . 4  >  dump’proof 
name :  (jaxiss.pdvtialLproof 

Current  proof  dumped  to  gauss .partial 1 .proof . 

We  now  ‘‘read”  the  integer  multiplication  axioms  and  pretty-print  the  two  that  we  will  need. 


<sdvs  .  2 . 1 . 2 . 4>  read 

path  name  [axioms/exp .  axioms]  :  axioms /rnxdt.axiorns 

Definitions  read  from  file  “  axioms /mult .  axioms** 

--  (multO , multi ,multcommute,multassoc,multdistributeplus , 

multdistribut eminus ,multrainus ,multsquaregeO ,multgeO ,multleO , 
multge  ^multgtO ,multltO ,multgt ) 


<sdvs . 2 . 1 . 2 . 5>  pp 
object:  axiom 

axiom  name:  multdistiihutephis 

axiom  multdistributeplus  (x,y,z): 

x*(y  +  z)=x*y  +  x*z 
<sdvs  .2 . 1 . 2 , 5>  pp 
object :  axiom 
axiom  name:  multcoinrnute 

axiom  multcommute  (x,y): 

X  *  y  =  y  *  X 

If  at  a  certain  point  in  a  proof  we  wish  to  a^jsert  that  two  terms  and  ^2  equal  and  a 
current  axiom  has  the  form  tl  =  or  t*2  =  where  and  ^2  are  of  the  form  and 
respectively,  then  an  invocation  of  the  rewritebyaxiom  command  with  the  current  axiom 


as  the  “axiom  name”  parameter  and  the  term  ti  as  the  “term  to  rewrite”  parameter  will 
assert  the  equality  of  and  ^2.^^ 

We  first  expand  the  term  oldi  *  {oldi  +  1)  hy  means  of  the  rewritebyaxiom  command. 

<sdvs  .  2 . 1 . 2 . 5>  rewritebyaxiom 
term  to  rewrite:  oldi* ( oldi d-1) 
axiom  nameC]  :  rnultdistidbiitepliis 

rewritebyaxiom  multdistributeplus  —  oldi  *  (oldi  +  1) 

=  oldi  *  oldi  + 
oldi  *  1 


<sdvs  .2 . 1 .2 .6>  simp 

expression :  oldi*(oldi-hl  )=oldi*oldii~oldi 

true 

The  expansion  of  {oldi  +  1)  *  {oldi  +  2)  is  more  comphcated: 

<sdvs.2.1.2.6>  rewritebyaxiom 

term  to  rewrite:  (oldi-l-I)*(oldi-h2) 
axiom  naimeG  :  imdtdistributeplus 

rewritebyaxiom  multdistributeplus  —  (oldi  +  1)  *  (oldi  +  2) 

=  (oldi  +  1)  ♦  oldi  + 
(oldi  +  1)  *  2 


<  sdvs .  2 . 1 . 2 . 7>  rewritebyaxiom 
term  to  rewrite:  (oldi-hl)*oldi 
axiom  naraeC]  :  multcommnte 

rewritebyaxiom  multcommute  --  (oldi  +  1)  *  oldi 

=  oldi  *  (oldi  +  1) 


<sdvs  .  2 . 1 . 2 . 8>  rewritebyaxiom 
term  to  rewrite:  oldi* (oldish  1) 

axiom  name  []  :  multdistributeplus 

rewritebyaxiom  multdistributeplus  --  oldi  ♦  (oldi  +  1) 

=  oldi  +  oldi  + 
oldi  *  1 

term  t  is  of  the  form  V  if  and  only  if  t  =  /,7:i , . . . ,  6'„/x-n]  ,  where  the  St's  are  terms  and  the 

xds  are  variables  of  i* . 
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<sdvs  .2 . 1 .2 .9>  .sn/i/y 

expression :  (oldi-hl )  *  (ol(li-{-2) =oldi*oldi-t3^oldi-h2 
true 

The  goal  is  now  known  to  be  true: 

<sdvs  .2 . 1 .2 .9>  xidixjnoUjoal 
simplify? [no]  :  <CR> 

The  goal  is  TRUE.  Type  ‘ close 
We  close  the  two  proofs  and  “cpiit”: 

<sdvs  .2.1. 2 .9>  (dose 

close  —  8  steps/applications 

join  induction  cases  --  [sd  pre 

comod 
mod 
post 

Complete  the  proof. 

<sdvs.2.2>  dost 
close  ““  1  steps/applications 
<sdvs.3>  quit 
Q.E.D.  The  proof  for  this  session  is  in  ‘sdvsproof^. 

State  Delta  Verification  System,  Version  13 
Restricted  to  authorized  users  only. 

6.2  Creating,  Proving,  and  Invoking  Lemmas 

Example  11  In  tlii.s  example,  we  will  prove  (jaui>s.s(l  once  more,  following  the  proof  in  the 
last  example  up  to  the  point  at  which  we  invoked  the  command  rewritebyaxiom.  At  that 


:  (1  le  n) 

:  (all) 

:  (i, sigma) 

:  (#i  =  n, 

2  *  #sigma  =  n  ♦  (n  +  1))] 
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point  we  will  create  a  lemma,  and,  without  proving  it,  we  will  use  it  to  complete  the  proof. 
When  we  “quit”  the  proof  of  gauss. SDVS  will  inform  us  that  we  used  this  lemma  in 
the  proof,  but  that  a  proof  had  not  been  provided  (prior  to  the  proof  of  gauss.sd). 

We  sta.rt  the  proof  of  gauss.sd  by  using  the  partial  proof  that  we  dumped  in  the  previous 
example. 

<sdvs.l>  init 

proof  named  :  gwass.partiall.proof 
State  Delta  Verification  System,  Version  13 
Restricted  to  authorized  users  only, 
setflag  autoclose  —  off 

open  —  [sd  pre:  (covering(all , i , sigma) i  =  l,n  ge  1,. sigma  =  1, 
f ormulaCgaussloop . sd) ) 
comod:  (all) 
mod:  (i, sigma) 

post:  (2  *  #sigma  =  n  *  (n  +  l),#i  =  n)] 

induction  —  .i  from  1  to  n 

open  —  [sd  pre:  (true) 
comod:  (all) 

post:  (2  ♦  .sigma  =  .i  *  (.i  +  l),.i  =  1)] 

close  0  steps/applications 

open  --  [sd  pre:  (.i  ge  l,.i  It  n, 

2  *  .sigma  =  .i*  (.i+1)) 
mod:  (i, sigma) 

post:  (2  ♦  #sigma  =  #i  *  (#i  +  l),#i  =  .i  +  1)] 

let  —  oldi  =  .i 

let  —  oldsigma  =  .sigma 

apply  —  [sd  pre:  (.i  It  n) 
mod:  (sigma, i) 

post:  (#i  =  .i  +  l,#sigma  =  .sigma  +  #i)] 

Complete  the  proof. 

We  are  now  at  the  point  of  the  proof  at  which  we  previously  used  the  rewritebyaxiom 
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command.  Instead  of  using  the  axioms,  we  “create”  a  lemma  and  use  it  instead.  (We  should 
point  out  that  we  could  have  created  the  lemma,  prior  to  the  initiation  of  this  proof.) 


<sdvs .  1>  createleniina 

name : 
pattern: 
free  variables  []: 
constant  symbols  []: 
function  symbols  []: 
predicate  symbols  []  : 


(jaiisslemma 

a,b,c,d 

<CR> 

<CR> 

<CR> 


Lemma  ^gausslemma^  created. 

Note  that  the  free  variables  a,  b,  c,  and  d  that  we  used  in  the  lemma  are  new.  This  is  not 
recpiired  l)y  SDVS,  but  since  we  will  eventually  have  to  prove  the  lemma  “at  the  top  level,” 
(that  is,  not  within  another  proof),  we  gain  nothing  by  using  variables  in  the  current  proof, 
since  at  the  “top  level”  nothing  will  be  known  about  these  variables.  The  pattern  of  the 
lemma  is  a  little  odd,  because  we  need  this  pattern  only  in  the  current  proof,  and  because 
the  more  obvious  ecpiation  (^a  b)  ^  (c  -jr  d)  =  a  ^  c  -j-  a  t  d  b  t  c  b  ^  d  requires  four  more 
invocations  of  the  axiom  “multcommute”  in  its  proof. 

We  may  now  use  the  command  rewritebylemma,  which  is  entirely  analogous  to  the 
rewritebyaxiom  command,  to  complete  the  proof. 

<sdvs  .2.1.2. 4>  rcywritebylemma 

term  to  rewrite:  (oldi-hO)^(oldi-{-l) 
lemma  name  []  :  gaasslemma 

rewritebylemma  gausslemma  --  (oldi  +  0)  *  (oldi  +  1) 

=  ((oldi  *  oldi  +  1  *  oldi)  + 
oldi  *  0)  + 

1*0 


<sdvs  .  2 . 1 . 2 . 5>  simp 

expression :  oldi*  (oldi-j-  i  )= oldi*  oldi-h  oldi 

true 

<sdvs  .  2 . 1 . 2 . 5>  I'cioritebylemma 

term  to  rewrite:  (oldi-f-l)*(oldi-h2) 
lemma  nameC]  :  gausslemma 

rewritebylemma  gausslemma  --  (oldi  +  1)  *  (oldi  +  2) 

=  ((oldi  *  oldi  +  2  *  oldi)  + 
oldi  1) 

2*1 
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Note  the  way  we  entered  the  ‘'term  to  rewrite”  in  the  first  invocation  of  the  rewrite- 
bylemma  command.  We  could  not  have  entered  the  term  oldi  *  {oldi  +  1)  instead,  because 
it  is  not  of  the  form  of  either  of  the  two  sides  of  the  equality  of  the  lemma,  even  though 
SDVS  knows  that  {oldi  +  0)  is  equivalent  to  oldi. 

We  may  now  close  the  i)roof  as  before,  l)ut  we  dump  the  proof  prior  to  the  “quit.” 

<sdvs.2.1.2.6>  xoliynotgoal 
simplify?  [no]  :  < CR> 

The  goal  is  TRUE.  Type  ‘close'. 

<sdvs  .  2 . 1 . 2 . 6>  close 

close  —  5  steps/applications 

join  induction  cases  —  [sd  pre :  (1  le  n) 

comod:  (all) 
mod:  (i, sigma) 
post:  (#i  =  n, 

2  ^  #sigma  =  n  *  (n  +  1))] 

Complete  the  proof. 

<sdvs  .2.2>  close 

close  —  1  steps/applications 

< sdvs  .  3 >  damp-proof 

name :  (ja\LSS.partial2. proof 

Current  proof  dumped  to  gauss .partial2 .proof . 

<sdvs.3>  quit 

Proof  session  closed  using  unproved  lemmas:  (gausslemma) 

The  proof  for  this  session  is  in  ‘sdvsproof'. 

State  Delta  Verification  System,  Version  13 

Restricted  to  authorized  users  only. 

Note  that  SDVS  ha-s  informed  us  that  the  unproved  lemma  gausslemma  was  used  in  the 
proof  and  that  the  customary  “Q.E.D.”  did  not  follow  the  “quit”. 
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Example  12  We  will  now  prove  the  lemma  that  we  created  in  the  last  example.  First 
we  will  initialize  the  system  and  then  use  the  SDVS  command  provelemma  to  open  the 
proof.  The  lemma  must  l)e  ‘Treated”  prior  to  the  invocation  of  this  command.  We  are  still 
in  the  session  that  we  started  at  the  beginning  of  this  section.  Thus  SDVS  knows  that  the 
lemma  has  l)een  “created,”  and  the  current  axioms  include  the  axioms  that  we  will  need  in 
its  proof. 

<sdvs.l>  init 

proof  name  []  :  <  CR> 

State  Delta  Verification  System,  Version  13 

Restricted  to  authorized  users  only. 

<sdvs  .  1  >  p'rovelenuna 

lemma  name :  (jdusskinina 
proof  []  :  <  CR> 

open  —  [sd  pre :  (true) 

post:  ((a  +  b)  *  (c  +  d) 

=  ((c  *a+d*a)+c*b)+d*  b)] 

<sdvs  .  1 . 1>  (joals 

g(l)  (a  +  b)  *  (c  +  d) 

=((c*a+d*a)+c*b)+d*b 

The  provelemma  command  opens  the  proof  of  a  state  delta  that  has  empty  comodilication 
and  modification  lists.  The  precondition  is  p  if  the  lemma  pattern  is  of  the  form  p  q  and 
is  true  otherwise.  In  the  first  case,  the  state  delta  asserts  that  henceforth  (always)  p  q, 
and  in  the  second  case,  the  state  delta  asserts  that  henceforth  (always)  q  is  true. 

We  first  rewritebyaxiom  two  times  and  then  discuss  another  use  of  this  command, 

< sdvs  .  1 . 1  >  vcurritchy axiom 

term  to  rewrite:  (a-th)^(c-hd) 

axiom  name  []  :  miiltdistributeplus 

rewritebyaxiom  multdistributeplus  --  (a  +  b)  *  (c  +  d) 

=  (a  +  b)  *  c  + 

(a  +  b)  ^  d 


<sdvs  .  1 . 2>  rewritebyaxiom 
term  to  rewrite:  (a-i-b)'^c 

axiom  name[]  :  mxdtcornmute 


94 


rewritebyaxiom  mult commute  —  (a  +  b)  *  c  =  c  *  (a  +  b) 


If  an  ‘‘axiom  name”  parameter  is  not  given  to  the  rewritebyaxiom  command,  SDVS 
searches  the  list  of  current  axioms  to  find  an  axiom  in  which  the  “term  to  rewrite”  parameter 
is  of  the  form  of  one  of  the  axiom  ecpiality  terms.  If  it  succeeds  in  this  search,  it  rewrites 
the  term  parameter  to  the  rewritebyaxiom  command  according  to  the  a,xiom: 

<sdvs  .  1 . 3>  rexmitehy axiom 
term  to  rewrite:  c*(a+h) 
axiom  name[]:  <CR> 

rewritebyaxiom  multdistributeplus  —  c  *  (a  +  b) 

=  c*a+c*b 


<sdvs  .  1 . 4>  rcAoritehy axiom 
term  to  rewrite:  (a-i-h)*d 
axiom  name[]  :  <CR> 

rewritebyaxiom  multcommute  --  (a  +  b)  *  d  =  d  ♦  (a  +  b) 

< sdvs  .  1 . 5 >  rexvritehy axiom 
term  to  rewrite:  (l*(a-hh) 
axiom  name[]  :  <CR> 

rewritebyaxiom  multdistributeplus  —  d  *  (a  +  b) 

=  d*a+d*b 


<sdvs  .  1 . 6>  cloJrtc 
close  --  5  steps/applications 
<sdvs.l>  q'uit 

Q.E.D.  The  proof  for  this  session  is  in  ‘sdvsproof^. 
State  Delta  Verification  System,  Version  13 
Restricted  to  authorized  users  only. 

<sdvs .  1>  xorite 


path  name  [axioms/mult  .axioms]  : 

tutOT'ial/gauss.sdvs 

state  delta  names  []: 

<CR> 

proof  names  []  : 

<CR> 
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axiom  names  [] 
lemma  names  [] 
formula  names  [] 
formulas  names  [] 
macro  names  [] 
datatype  names  [] 
adalemma  names  [] 
vhdllemma  names  [] 


1  n  u  ltdis  trihut  ep  lus ,  m  ultcommute 
(jausslenima 

<CR> 

<CR> 

<CR> 

<CR> 

<CR> 

<CR> 


Write  to  file  “tutorial/gauss . sdvs“ 


(multdistributeplus  ^mult commute , 
gauss  lemma) 


Once  the  proof  of  a  leiiinia  closes,  SDVS  automatically  associates  the  proof  with  the  lemma 
name.  The  lemma  and  its  proof  may  ])e  pretty-printed  by  the  pp  command: 

<sdvs.2>  pp 

object:  lenuria 
lemma  name:  (jausslenima 

lemma  gausslemma  (a,b,c,d) 

<sdvs.2>  pp 

ob  j  ect :  leinrnaproof 
lemma  name:  (jausslemrna 

(provelemma  gausslemma 
proof : 

(rewritebyaxiom  (a  +  b)  *  (c  +  d) 
using:  multdistributeplus, 
rewritebyaxiom  (a  +  b)  *  c 
using:  multcommute, 
rewritebyaxiom  c  *  (a  +  b) 
using :  multdistributeplus , 
rewritebyaxiom  (a  +  b)  *  d 
using :  mult commut e , 
rewritebyaxiom  d  *  (a  +  b) 
using :  multdistributeplus , 
close)) 

If  we  were  to  use  the  write  command  and  enter  the  name  of  the  lemma  to  the  query  “lemma 
names,”  then  SDVS  would  not  only  write  the  lemma  to  the  specified  file,  but  it  would  write 
its  proof  as  well.  For  completeness,  the  names  of  the  axioms  used  in  the  proof  of  the  lemma 
should  also  be  written  to  the  file. 


:  (a  +  b)  *  (c  +  d) 

=((c*a+d*a)+c*b)+ 
d  *  b 
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Thus,  a  read  of  the  file  would  also  read  the  proof  of  the  lemma  and  the  axioms  used  in  its 
proof.  The  entire  proof  could  then  be  run  in  the  session  in  which  this  file  was  read. 

The  reader  should  use  the  init  command  with  (jauss.partial'I.proof  for  the  “proof  name” 
parameter  to  see  that  after  “quitting”  the  proof,  SDVS  will  display  “Q.E.D”  and  will  no 
longer  assert  that  unproved  lemmas  were  used  in  the  proof. 


Example  13  Two  other  important  static  proof  commands  are  provebyaxiom  and  prove- 
bylemma.  The  latter  is  used  like  the  former  once  a  lemma  has  been  created.  In  this 
example  we  will  create  and  prove  a  lemma  using  the  provebyaxiom  command. 

The  provebyaxiom  command  is  used  in  a  proof  to  assert  an  atomic  formula  q*  using 
an  axiom  either  of  the  form  p  q  or  the  form  q,  where  q*  =  q[ti/xi, . , ,  ,tn/xn]^  the 
t{'s  are  terms,  the  are  variables  of  q,  and  where  if  the  axiom  is  of  the  form  p  q^ 
p[ti/xi^ . .  is  known  to  be  true  in  the  current  state. 

We  first  create  and  open  the  proof  of  square.vaeqdenfima^  which  asserts  that  if  6  >  a  >  0, 
then  b^h  >  a^a.  Since  this  lemma  is  an  implication,  the  state  delta  that  is  created  by  the 
provelemma  command  has  the  antecedent  in  its  precondition  rather  than  true. 


<sdvs.l>  createlermna 
name : 
pattern : 
free  variables  []  : 
constant  symbols  []: 
function  symbols  []  : 
predicate  symbols  []: 


square.ineq.  lemma 

(0  It  a  and  a  It  h)  implies  a* a  It  h% 

a,b 


<CR> 

<CR> 

<CR> 


Lemma  ‘ square . ineq. lemma ^  created. 


<sdvs.l>  init 

proof  name  []  :  <  CR> 

State  Delta  Verification  System,  Version  13 

Restricted  to  authorized  users  only. 

<sdvs.l>  provelemma 

lemma  name:  square.ineq. lemma 
proof  []  :  <  CR.> 


open  —  [sd  pre :  (0  It  a  &  a  It  b) 
post:  (a  *  a  It  b  *  b)] 
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<sdvs.l.l>  pp 
object:  a2:io7n 
axiom  name:  imdtgt 

axiom  multgt  (x,y,z): 

X  gt  0  &  y  gt  z  or  0  gt  X  &  2  gt  y  -->  x  *  y  gt  x  z 

We  use  the  axiom  multgt  in  the  provebyaxiom  command.  The  substitutions,  which  are 
done  automatically  by  SDVS,  are  b  for  x  and  y,  and  a  for  z.  Note  that  the  axiom  is  of  the 
form  p  ^  q  and  that  p[b/x,h/y,  a/z]  is  true. 

<sdvs  .  1 . 1>  provebyaxiom 

formula  to  prove:  b*b  gt  b'^a 
axiom  naraeG  :  multgt 

provebyaxiom  multgt  --  b  *  b  gt  b  *  a 

<sdvs  .  1 . 2>  provebyaxiom 

formula  to  prove:  a%  gt  a^a 
axiom  named  :  <CR> 

provebyaxiom  multgt  —  a  *  b  gt  a  *  a 

So  far  we  have  estal)lished  that  b*b  >  b^a  and  that  a  *  6  >  a  *  a.  We  must  still  prove  that 
6  +  a  =  a  *  6.  We  do  this,  close  and  quit  the  proof,  and  pretty-print  it. 

<sdvs  .  1 . 3>  reivriieby axiom 
term  to  rewrite:  (i*b 
axiom  named  :  <CR> 

rewrit ebyaxiom  mult commute  --a*b=b*a 

<sdvs  .  1 .4>  close 
close  ---  3  steps/applications 
<sdvs.l>  quit 

Q.E.D.  The  proof  for  this  session  is  in  'sdvsproof^. 

State  Delta  Verification  System,  Version  13 
Restricted  to  authorized  users  only. 
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<sdvs.l>  pp 

ob j  ect :  lermnaproof 

lemma  name:  sq-aareAneqAenmia, 

(provelemma  square . ineq. lemma 
proof : 

(provebyaxiom  b  *  b  gt  b  *  a 
using:  multgt, 
provebyaxiom  a  *  b  gt  a  *  a 
using:  multgt, 
rewritebyaxiom  a  *  b 
using:  multcommute, 
close)) 

If  we  were  to  prove  that  h  >  a  >  Q  b  ^  h  >  a  ^  would  have  to  do  a  proof  by  cases 

on  the  case  a  =  0. 
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7  Interaction  with  Application  Languages 


Our  approach  to  adapting  SDVS  to  the  verification  of  programs  in  a  new  application  lan¬ 
guage  involves  the  following  steps: 

1.  defining  a  sequence  of  application  language  subsets  of  increasing  complexity,  to  be 
incorporated  incrementally  into  SDVS; 

2.  defining  in  state  deltas  the  semantics  of  the  current  application  language  subset;  and 

3.  augmenting  the  SDVS  Simplifier,  domain  repertoire,  and  proof  rules  with  components 
necessary  to  support  the  application  language  subset. 

As  already  indicated,  an  SDVS  correctness  proof  of  a  subject  program  proceeds  by  symbolic 
execution  of  a  state  delta  representation  of  the  program,  with  the  goal  of  achieving  states 
in  which  the  specification  of  the  program  holds.  This  state  delta  representation  is  obtained 
by  invoking  the  application  language  translator,  with  the  subject  program  as  its  argument. 

The  SDVS  language  translators  are  all  organized  according  to  the  same  scheme: 

Parsing.  A  program  is  parsed  according  to  the  concrete  syntax  for  the  language  subset, 
producing  an  abstract  syntax  tree  for  manipulation  by  the  two  subsequent  translation 
phases.  We  use  our  own  tools  to  specify  and  implement  this  process. 

Phase  1:  Static  Checking.  This  first  phase  of  semantic  analysis  detects  “static”  errors, 
such  as  items  undeclared  before  their  use,  inappropriate  types,  and  semantically  ill- 
formed  constructs.  Provided  that  no  errors  occur  in  Phase  1,  an  environment  for  the 
second  (and  final)  phase  of  the  translator  is  produced. 

Phase  2:  State  Delta  Generation.  This  final  phase  of  semantic  analysis  generates  the 
state  deltas  that  define  the  semantics  and  allow  the  symbolic  execution  of  the  program. 


The  formal  specification  of  both  phases  of  each  translator  is  written  in  a  continuation- 
style  denotational  semantics  [13].  Space  limitations  constrain  the  following  discussion  to  be 
simplified  and  sketchy;  fuU  details  appear  in  various  reports  [14,  15,  16,  17,  18,  19].  The 
translator  is  a  Common  Lisp  program,  whose  behavior  is  largely  specified  by  the  mathemat¬ 
ical  equations  of  a  continuation- style  denotational  semantics  for  the  application  language 
in  terms  of  the  state  delta  logic. 

The  implementation  of  the  translator  from  the  semantics  is  carried  out  automatically  by 
a  tool,  also  developed  at  The  Aerospace  Corporation,  called  the  Denotational  Semantics 
Translator  Environment  (DENOTE)  [20].  The  DENOTE  Language  (DL)  was  specifically 
designed  for  expressing  semantic  equations.  DENOTE  translates  specifications  written 
in  DL,  generating  both  (a)  documentation  in  the  form  of  formatted  equations,  and  (b)  a 
Common  Lisp  implementation  of  the  equations.  DENOTE  is  employed  for  the  development 
of  all  language  interfaces  to  SDVS. 
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Figure  6  shows  SDVS’s  scheme  for  translating  a  computer  program  into  the  state  delta  lan¬ 
guage.  Single  vectors  represent  inputs;  triple  vectors  represent  the  generation  of  programs, 
data  or  text;  oval  areas  surround  SDVS  input;  single-boxed  areas  surround  text  files,  which 
are  either  output  or  data  or  both;  and  double-boxed  areas  represent  programs.  The  ar¬ 
eas  enclosed  in  dashed  boxes  need  be  executed  only  once  for  each  language  -  once  for  the 
grammar  and  once  for  the  semantic  definition  of  the  translator. 

Consider  a  computer  language  L  being  adapted  to  SDVS.  First  an  SLR(l)  grammar  is 
created  with  a  grammar  analysis  tool.  This  grammar  is  input  to  a  parser  generator  tool 
whose  output  is  a  parser  table.  Any  program  written  in  L  can  be  parsed  by  the  table-driven 
parser  along  with  the  generated  table  for  L.  This  parser  is  created  once  for  the  language 
and,  when  it  is  input  a  syntactically  legal  program,  it  outputs  an  abstract  syntax  tree  for 
that  program.  The  abstract  syntax  tree  is  input  to  the  two  phases  of  the  translator  backend. 
The  backend  is  also  generated  once  for  the  language  and  is  created  by  the  DENOTE  tool. 
DENOTE  accepts  a  set  of  equations  that  define  the  semantics  of  L,  and  outputs  either  the 
translator  backend  for  L  or  the  formatted  equations  for  L. 

A  correctness  proof  of  an  application  program  must  deal  not  only  with  the  program’s 
flow  of  control,  but  also  with  its  data  types.  The  language  translator  is  responsible  for 
properly  modeling  control  flow,  but  knowledge  about  the  data  types  must  be  incorporated 
into  SDVS’s  inference  mechanism  (the  Simplifier  and  domain  axiomatizations).  One  must 
decide  which  existing  components  of  SDVS  can  be  directly  adapted  to  deal  with  the  new 
data  types,  and  what  enhancements  to  SDVS’s  inference  machinery  must  be  made. 
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7.1  Ada 


The  purpose  of  this  section  is  to  illustrate  most  of  the  techniques  available  to  the  user  of 
SDVS  in  proofs  of  correctness  properties  of  Ada  programs. 

The  first  three  examples  involve  two  versions  of  a  simple  Ada  program  with  a  procedure  call. 
The  main  program  orders  two  integers  by  calling  a  switch  procedure,  if  the  integers  are  not 
in  the  right  order.  The  first  version  assigns  concrete  values  to  the  integer  variables,  while  the 
second  version  reads  the  (symbolic)  values  of  the  variables  from  a  standard  input  file  and, 
after  ordering  them,  outputs  these  values  to  a  standard  output  file.  For  the  first  version, 
we  can  only  prove  that  the  program  terminates.  We  provide  two  proofs  of  this  fact:  the 
first  proof  introduces  the  salient  features  of  an  Ada  proof,  while  the  second  illustrates  the 
creation,  proof,  and  invocation  of  an  Ada  lemma.  In  the  third  example,  we  use  the  second 
version  of  the  program  and  prove  a  specification  that  relates  the  output  to  the  input. 

The  last  example  is  an  Ada  version  of  Example  8  in  Section  3.4.  The  Ada  program  reads 
two  integers,  x  and  y  from  the  standard  input  file,  and  if  y  >  0,  computes  their  sum  by 
means  of  a  while  loop  and  writes  the  sum  to  the  standard  output  file.  We  include  this 
example  to  illustrate  the  SDVS  translation  of  an  Ada  while  loop  and  the  use  of  the  induct 
command  in  its  symbolic  execution. 

In  SDVS  (Version  13),  a  theorem  concerning  a  correctness  property  of  the  Ada  program 
mainprogname  stored  in  the  file  progfile.ada  is  a  state  delta  of  the  form 

[sd  pre:  ada(progf ile.ada) ,  <input  specif ications> 
comod;  all 
mod:  all 

post:  t erminated (mainprogname ) ,  <input-output  specif ications>] 

The  formula  ada  (progfile.ada)  is  a  translation  of  mainprogname  into  the  language  of  the 
state  delta  logic.  This  formula  acquires  a  meaning  only  after  the  invocation  of  the  adatr 
command,  at  the  top  level,  with  the  only  argument  to  the  command  being  the  path  name 
of  the  file  progfile.ada.  The  predicate  terminated(mainprogname)  is  asserted  by  SDVS 
at  the  last  state  of  the  symbolic  execution  of  ada  (progfile.ada).  The  last  two  examples 
of  this  section  illustrate  the  use  of  the  input  and  the  input-output  specifications. 

7.1.1  A  simple  Ada  program  with  a  subprogram 

Example  14  Consider  the  following  Ada  program  which  is  stored  in  the  file  orderl .  ada. 

with  text.io;  use  text.io; 
with  integer.io;  use  integer.io; 
procedure  orderl  is 

u,  V,  switched  :  integer; 
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procedure  switch(x,  y  :  in  out  integer)  is 
temp  :  integer; 
begin 
temp:=  x; 
x:=  y; 
y:=  temp; 
end  switch; 
begin 
u:=  3; 
v:=  2; 

if  u  <=  V  then 
switched  :=0; 
else 

switch(u,v) ; 
switched  :=  1; 
end  if; 
end  orderl; 


Clearly,  the  execution  of  this  program  terminates,  and  during  the  execution  the  values  of  the 
variables  u  and  v  are  switched  and  the  variable  switched  is  assigned  the  value  1.  Since  these 
variables  have  neither  initial  nor  final  values,  and  in  fact  cannot  be  referenced  at  the  top 
level  of  the  precondition  or  postcondition  of  a  state  delta  asserting  a  correctness  property 
of  the  program  (in  the  current  SDVS  semantic  interpretation  of  Ada,  these  variables  do 
not  even  exist  at  the  initial  and  final  states  of  the  execution  of  the  program),  the  only 
correctness  property  that  we  can  prove  about  this  program  is  that  it  terminates.  The  state 
delta  orderl.sd  asserts  this  correctness  property: 

[sd  pre:  (ada(orderl.ada)) 
comod:  (all) 
mod:  (all) 

post :  (terminated (orderl) )] 

To  prove  this  state  delta  we  must  first  invoke  the  adatr  command,  at  the  top  level,  and 
then  open  the  proof. 

<sdvs.l>  adatr 

path  nameCtestproofs/foo.ada]  :  tutorial/ order  Lada 
Parsing  Stage  4  Ada  file  —  ”tutorial/orderl.ada'‘ 

Translating  Stage  4  Ada  file  —  "tutorial/order 1 .ada” 

<sdvs.2>  setflag 
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flag  variable:  autoclose 
on  or  off  [on] :  off 

setflag  autoclose  —  off 

<sdvs.3>  init 

proof  name[]:  <CR> 

State  Delta  Verification  System,  Version  13 

Restricted  to  authorized  users  only. 

<sdvs.l>  prove 

state  delta []  :  orderl.sd 
proof  n  :  <  CR> 

open  —  [sd  pre:  (adaCorderl . ada) ) 
comod:  (all) 
mod:  (all) 

post :  (terminated(orderl) )] 
Complete  the  proof. 

<sdvs.l.l>  goals 
g(l)  terminated(orderl) 


Here  is  the  state  delta  that  is  usable  at  the  beginning  of  the  proof. 


<sdvs.l.l>  usable 


u(l) 


[sd  pre: 
comod: 
mod: 
post : 


(true) 

(all) 

(orderl\pc) 

(<adatr  procedure  orderl  is 
u,  ...  :  integer 


begin 
u  :=  3; 

end  orderl ;>)] 


No  usable  quantified  formulas. 
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The  only  element  in  the  modification  list  of  this  usable  and  applicable  state  delta  is  the 
variable  orderl\pc,  which  represents  the  program  counter  of  the  main  program  orderl.  The 
program  counter  will  appear  in  the  modification  list  of  every  state  delta  that  is  generated 
by  the  Ada  translator.  We  apply  this  state  delta  and  check  the  next  state  delta  that  is 
generated  by  the  translator. 

<sdvs.l.l>  apply 

sd/number [highest  applicable/once]:  <CR> 

apply  —  [sd  pre:  (true) 
comod:  (all) 

mod:  (order l\pc) 

post:  (<adatr  procedure  orderl  is 
u,  ...  :  integer 

begin 
u  :=  3; 

end  orderl ;>)] 


<sdvs.l.2>  usable 


u(l) 


[sd  pre: 
comod: 

mod: 

post: 


(true) 

(all) 

(orderl \pc , orderl) 

(alldis joint (orderl, .orderl ,u,v, switched) , 
covering (torderl, . order!, u,v, switched) , 
declare  (u,  type  (integer))  ,declcire(v,  type  (integer))  , 
declare(switched,type(integer)) , 

<adatr  u,  ...  :  integer>)] 


No  usable  quantified  formulas. 

This  usable  state  delta  elaborates  and  declares  the  objects  ti,  t?,  and  switched  to  be  of  the 
type  specified  by  the  Ada  program.  We  apply  it  and  thereby  elaborate  the  variables. 

<sdvs.l.2>  apply 

sd/number  [highest  applicable/once]:  <CR> 

apply  —  [sd  pre:  (true) 
comod:  (all) 
mod :  ( order 1 \p  c , order 1 ) 

post:  (alldisjoint (orderl, . order l,u,v, switched) , 


107 


covering (torderl, .orderl,u,v, switched) , 
declareCu, type (integer)) , declare (v, type (integer)) , 
declare(switched,type(integer)) , 

<adatr  u,  :  integer>)] 


<sdvs«1.3>  usable 

u(l)  [sd  pre:  (true) 
comod:  (all) 

mod :  (order l\pc , u) 
post:  (#u  =  3, 

<adatr  u  :=  3;>)] 


No  usable  quantified  formulas. 


We  first  execute  past  the  two  assignment  statements. 


<sdvs.l.3>  apply 

sd/number [highest  applicable/once] :  2 


apply  —  [sd  pre: 

comod : 

mod: 
post : 


(true) 

(all) 

(orderl\pc,u) 

(#u  =  3, 

<adatr  u  :=  3;>)] 


apply  —  [sd  pre: 

comod : 

mod: 
post : 


(true) 

(all) 

(orderl\pc,v) 

(#v  =  2, 

<adatr  v  :=  2;>)] 


<sdvs.l.5>  usable 


u(l) 


[sd  pre: 
comod: 

mod: 
post : 


(''(.u  le  .v)) 

(all) 

(orderl\pc) 

(<adatr  if  u  <=  v 

switched  :=  0; 
else  switch  (u,  ...); 


end  if;>)] 
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u(2) 


[sd  pre : 
comod : 

mod: 
post : 


( .u  le  . v) 

(all) 

(orderl\pc) 

(<adatr  if  u  <=  v 

switched  :=  0; 
else  switch  (u,  . . .) ; 


end  if;>)] 


No  usable  quantified  formulas. 

<  s  dvs .  1 , 5  >  applicable 

u(l)  [sd  pre:  ("'(.u  le  ,v)) 
comod:  (all) 

mod:  (order l\pc) 
post:  (<adatr  if  u  <=  v 

switched  :=  0; 
else  switch  (u,  ...); 

end  if;>)] 

The  conjunction  of  the  two  usable  state  deltas  u{l)  and  u(2)  is  the  SDVS  translation  of 
the  “if  —  then  .  . .  else  —  end  if”  program  segment.  Since  u  is  greater  than 
u,  only  u(l)  is  applicable. 

<sdvs.l.6>  apply 

sd/number [highest  applicable/once]:  <CR> 

apply  —  [sd  pre:  (“"(.u  le  .v)) 
comod:  (all) 
mod:  (orderl\pc) 
post:  (<adatr  if  u  <=  v 

switched  :=  0; 
else  switch  (u,  ...); 

end  if;>)] 

<sdvs.l.6>  usable 

u(l)  [sd  pre:  (true) 
comod:  (all) 

mod :  ( order 1 \p c , order 1 ) 
post:  (alldisjoint (order 1 , . order l,x,y) , 
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covering (torderl, . order l,x,y) , declare (x, type ( int eger ) ) , 
declare (y, type (integer)) , 

<adatr  switch  (u,  •..)>)] 


No  usable  quantified  formulas. 

This  usable  state  delta,  ^(l),  represents  the  elaboration  of  the  objects  x  and  y  of  procedure 
switch.  We  elaborate  the  declarations,  bind  x  and  y  to  and  t?,  respectively,  and  advance 
the  program  counter  to  ‘‘at (orderl  .switch)”, 

<sdvs.l.6>  apply 

sd/number [highest  applicable/once]:  3 

apply  —  [sd  pre:  (true) 
comod:  (all) 

mod :  (orderl\pc , order 1) 
post:  (alldisjoint(orderl, ,orderl,x,y) , 
covering (torderl , ,orderl,x,y) , 

declare (x , type ( integer) ) , declare (y , type ( integer) ) , 
<adatr  switch  (u,  ...)>)] 

apply  —  [sd  pre:  (true) 
comod:  (all) 

mod :  (order l\pc , x , y) 
post:  (#x  =  .u,#y  =  .v, 

<adatr  switch  (u,  ...)>)] 

apply  —  [sd  pre:  (true) 
comod:  (all) 

mod:  (order l\pc) 

post:  (#orderl\pc  =  at (orderl .switch) , 

<adatr  switch  (u,  ...)>)] 

<sdvs.l.9>  usable 

u(l)  [sd  pre:  (true) 
comod:  (all) 

mod :  (orderl\pc , orderl) 
post:  (alldis joint (orderl, .orderl, temp) , 
covering ( #order 1 , .orderl, temp) , 
declare(temp,type(integer)) , 

<adatr  temp  :  integer>)] 


no 


No  usable  quantified  formulas. 


The  identifier  order!  .switch  is  the  qualified  name  of  procedure  switch,  and  the  usable 
state  delta  u(l)  represents  the  elaboration  of  the  object  temp  of  procedure  switch.  We 
elaborate  the  declaration,  and  execute  through  the  body  of  the  procedure. 

<sdvs.l.9>  apply 

sd/number [highest  applicable/once] :  4 

apply  —  [sd  pre:  (true) 
comod:  (all) 

mod:  ( order 1 \p c , order 1 ) 
post:  (alldisjoint (order!, .order! , temp) , 
covering (#order!, .order!, temp) , 
declare(temp,type(integer)) , 

<adatr  temp  :  integer>)] 

apply  —  [sd  pre:  (true) 
comod:  (all) 

mod:  (order!\pc,temp) 
post:  (#temp  =  .x, 

<adatr  temp  :=  x;>)] 

apply  —  [sd  pre:  (true) 
comod:  (all) 

mod:  (order !\pc,x) 
post:  (#x  =  .y, 

<adatr  x  :=  y;>)] 

apply  —  [sd  pre:  (true) 
comod:  (all) 

mod:  (order!\pc,y) 
post:  (#y  =  .temp, 

<adatr  y  :=  temp;>)] 

<sdvs.l.!3>  simp 
expression:  .x 

2 

<sdvs.!.!3>  simp 
expression:  .y 


<sdvs .  1 . 13>  applicable 

u(l)  [sd  pre:  (true) 
comod:  (all) 

mod :  (order l\pc , order 1 , temp) 
post:  (coveriiig(  . order l,#orderl, temp)  ,uiideclare(t^p)  , 
<adatr  temp  :  integer>)] 


We  now  “undeclare”  the  object  temp  and  advance  the  state  to  the  point  at  which  the 
program  counter  is  at  “exited(orderl .switch)”. 


<sdvs.l.l3>  apply 

sd/niiffiber  [highest  applicable/once]  :  2 


apply  —  [sd  pre: 

comod: 

mod: 
post : 


(true) 

(all) 

(orderl\pc,orderl ,temp) 

( cover ing(. order l,#orderl, temp) , undeclare (temp) , 
<adatr  temp  :  integer>)] 


apply  —  [sd  pre: 

comod : 

mod: 
post : 


(true) 

(all) 

(orderl\pc) 

(#orderl\pc  =  exited(orderl. switch) , 
<adatr  switch  (u,  ...)>)] 


<sdvs.l.l5>  simp 
expression:  .r 

2 


<sdvs.l.l5>  simp 
expression:  .t/ 


3 

Notice  that,  at  this  point,  x  and  y  have  not  been  “undeclared.”  We  assign  the  current 
values  of  x  and  y  to  u  and  u,  respectively,  and  “undeclare”  x  and  y. 

<sdvs.l.l5>  apply 

sd/number [highest  applicable/once] :  2 

apply  —  [sd  pre:  (true) 
comod:  (all) 
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mod :  (order l\pc ,u , v) 
post:  (#u  =  .x,#v  =  .y, 

<adatr  switch  (u,  ...)>)] 


apply  —  [sd  pre: 

comod : 

mod: 
post : 


(true) 

(all) 

(order l\pc , order 1 , x , y ) 

(covering( .order 1, tor derl,x,y) , undeclare (x,y) , 
<adatr  switch  (u,  ..,)>)] 


<sdvs .  1 . 17>  usable 

u(l)  [sd  pre:  (true) 
comod:  (all) 

mod :  (orderl\pc , switched) 
post:  (tswitched  =  1, 

<adatr  switched  :=  !;>)] 


No  usable  quantified  formulas. 


We  have  now  truly  exited  the  procedure  switch  and  are  at  the  assignment  switched  :=  1 
of  the  main  program.  We  execute  the  assignment,  undeclare  u  and  t;,  and  close,  quit,  and 
pretty-print  the  proof. 


<sdvs.l.l7>  apply 

sd/number [highest  applicable/once]:  <CR> 


apply  —  [sd  pre: 

comod : 

mod: 
post : 


(true) 

(all) 

(order l\pc , switched) 
(#switched  =  1, 

<adatr  switched  :=  !;>)] 


<sdvs.l.l8>  apply 

sd/number [highest  applicable/once] :  2 


apply  —  [sd  pre: 

comod : 

mod: 
post : 


(true) 

(all) 

(  or der 1 \p  c , order 1 , u , v , s w it  ched) 

(  covering ( . order 1 , tor der 1 , u , v , swit  ched) , 
undeclare (u,v, switched) , 

<adatr  u,  ...  :  integer>)] 
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apply  —  [sd  pre:  (true) 
comod:  (all) 

mod:  (order l\pc) 
post :  (terminated(orderl))] 

<sdvs .  1 .20>  whynotgoal 
simplify?  [no]  :  < CR> 

The  goal  is  TRUE.  Type  ^ close’. 

<sdvs.l.20>  close 

close  —  19  steps/applications 

<sdvs.2>  quit 

Q.E.D.  The  proof  for  this  session  is  in  ^sdvsproof’. 

State  Delta  Verification  System,  Version  13 

Restricted  to  authorized  users  only. 

<sdvs.l>  pp 
object:  proof 
proof  name:  sdvsproof 

proof  sdvsproof: 

prove  order l.sd 
proof : 

(apply  u(l), 
apply  u(l), 
apply  2, 
apply  u(l), 
apply  11, 
apply  u(l) , 
apply  2, 
close) 


The  applys  above  could  be  replaced  by  one  use  of  the  go  command. 


7.1.2  Creating,  proving,  and  invoking  an  Ada  lemma 
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Example  15  In  this  example  we  create  and  prove  a  lemma  about  the  subprogram  switch 
of  the  program  order  1,  and  then  reprove  the  state  delta  orderl.sd  of  Example  14  by 
invoking  the  lemma  at  the  appropriate  point  in  the  proof.  We  also  demonstrate  the  go 
command  in  the  elaboration  of  the  declarations. 

We  first  initialize  the  system  and  translate  the  Ada  program  in  the  file  order l.ada.  (It  is 
not  necessary  to  translate  the  file  again  if  it  has  been  translated  in  the  current  session.) 

<sdvs.l>  init 

proof  name  []  :  <  CR> 

State  Delta  Verification  System,  Version  13 
Restricted  to  authorized  users  only. 

We  can  now  create  the  Ada  lemma. 


<sdvs .  1>  createadalemma 


lemma  name: 
file  name: 
subprogram  name: 

qualified  name: 
preconditions  []  : 
mod  listD: 
postconditions : 


switchAemma 
tutorial/ order  1 .  ada 
switch 

order!,  switch 
<CR> 


createadalemma  —  [sd  pre:  (. order l\pc  =  at ( or derl. switch)) 

comod:  (all) 
mod :  (order 1 \p c , x , y ) 
post:  (#x  =  -y^ty  =  -x, 

#orderl\pc  =  exited(orderl. switch))] 


Notice  that  the  system  created  a  state  delta  with  some  of  our  entries  and  suppKed  additional 
ones.  Specifically,  the  precondition  and  postcondition  include  the  expected  values  of  the 
program  counter  of  the  main  program  order  1,  in  which  the  subprogram  switch  is  contained. 
In  Example  14  we  saw  at  which  points  of  the  execution  these  values  were  attained.  The 
precondition  value  of  the  program  counter  was  attained  after  the  declaration  and  binding 
of  the  variables  x  and  t/,  and  the  postcondition  value  was  attained  after  the  local  variable 
temp  was  undeclared.  Note  that  we  entered  a  null  parameter  to  the  preconditions  []  : 
query  of  the  createadalemma  command.  The  user  may  enter  any  precondition  formula 
whose  program  variables  are  either  in  the  scope  of  the  subprogram  declaration  or  are  formal 
parameters  of  the  subprogram.  Of  course,  this  formula  must  be  true  at  the  time  that  the 
lemma  is  invoked.  The  program  counter  was  also  added  to  the  modification  list  of  the 
state  delta.  Finally,  this  is  the  state  delta  that  wiH  be  asserted  by  the  invokeadalemma 
command. 
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We  will  now  prove  this  Ada  lemma.  The  proveadalemma  command  sets  up  the  environ¬ 
ment  to  prove  the  lemma. 

<sdvs.2>  setflag 

flag  variable :  autoclose 
on  or  off  [on]  :  on 

setflag  autoclose  —  on 

<sdvs,3>  init 

proof  name  []  :  <  CR> 

State  Delta  Verification  System,  Version  13 

Restricted  to  authorized  users  only* 

<  s  dvs .  1  >  proveadalemma 

Ada  lemma  name:  switchJemma 
proof  □:  <CR> 

open  —  [sd  pre:  (alldisjoint(orderl , .orderl) , 

covering ( . order 1 , order l\pc , u , v , switched , stdin , stdin\ctr , 
stdout ,stdout\ctr) , 

declare(u,type(integer))  ,decl2Lre(v,type(integGr) )  , 
declare  (switched,  type  (integer))  , 
declare ( stdin, type (pol3rmorphic))  , 
declare(stdin\ctr,type(integGr)) , 
declare  (stdout ,  type  (polymorphic))  , 
declare (stdout\ctr , type (integer) ) , 

<adatr  null;;>) 
comod:  (all) 
mod:  (all) 

post:  ([sd  pre:  (.  order  l\pc  =  at  (order  1  .switch)) 
comod:  (all) 
mod:  (diff(all, 

dif  f  (\inion(order  l\pc  ,u ,  v ,  switched ,  stdin , 

St din\ctr , stdout , stdout \ctr , x , 

y). 

union (order l\pc , x , y) ) ) ) 
post:  (#x  =  .y,#y  =  .x, 

#orderl\pc  =  exited(orderl. switch))])] 

apply  —  [sd  pre:  (true) 
comod:  (all) 

mod:  (order l\pc,orderl) 
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post:  (alldisjoint(orderl, .orderl,x,y) , 
covering(#orderl, .orderl,x,y) , 

declare (x , type ( integer) ) , declare (y , type (integer) ) , 
<adatr  null;>)] 


apply  —  [sd  pre: 

comod: 

mod: 
post : 


(true) 

(all) 

(orderl\pc,x,y) 
(#x  =  .x,#y  =  .y, 
<adatr  null;>)] 


apply  —  [sd  pre: 

comod : 

mod: 

post: 


(true) 

(all) 

(orderl\pc) 

(#orderl\pc  =  at (order 1. switch) , 
<adatr  null;>)] 


go  —  breakpoint  reached 

open  —  [sd  pre:  (.orderl\pc  =  at ( or derl. switch)) 
comod:  (all) 
mod:  (diff(all, 

dif f (xmion(orderl\pc ,u ,v, switched , stdin, 

stdin\ctr , stdout , stdout\ctr , x , y) , 
union(orderl\pc ,x ,y) ) ) ) 
post:  (#x  =  .y,#y  =  .X, 

#orderl\pc  =  exited(orderl .switch))] 


<sdvs .  1 .4. 1>  usable 

u(l)  [sd  pre:  (true) 
comod:  (all) 

mod :  ( order 1 \p c , or der 1 ) 
post:  (alldisjoint(orderl, .orderl,temp) , 
covering(#orderl, .orderl,temp) , 
declare (temp, type (integer)) , 
<adatr  temp  :  integer>)] 


No  usable  quantified  formulas. 

The  proof  proceeds  as  before;  we  use  the  until  command  for  the  applications. 
<sdvs.l.4.1>  until 

f  ormul  a :  #  order  1  \  pc= exited  ( order  1 .  switch ) 
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apply  —  [sd  pre:  (true) 
comod:  (all) 

mod :  ( order l\pc , order 1) 
post:  (alldisjoint (order 1, .orderl ,temp) , 
covering (torderl, , order 1, temp) , 
declare (temp , type (integer) ) , 

<adatr  temp  :  integer>)] 

apply  —  [sd  pre:  (true) 
comod:  (all) 

mod:  (orderl\pc,temp) 
post:  (#temp  =  .x, 

<adatr  temp  :=  x;>)] 

apply  —  [sd  pre:  (true) 
comod:  (all) 

mod :  (order l\pc ,x) 
post:  (#x  =  .y, 

<adatr  x  :=  y;>)] 

apply  —  [sd  pre:  (true) 
comod:  (all) 

mod :  (orderl\pc ,y ) 
post:  (#y  =  .temp, 

<adatr  y  :«  temp;>)] 

apply  —  [sd  pre:  (true) 
comod:  (all) 

mod :  (order l\pc , order 1 , temp) 
post:  (covering( .orderl,#orderl,temp) , undeclare (temp) , 
<adatr  temp  :  integer>)] 

apply  —  [sd  pre:  (true) 
comod:  (all) 

mod:  ( order l\pc) 

post:  (#orderl\pc  =  exited(orderl .switch) , 

<adatr  null;>)] 

close  —  6  steps/applications 
close  —  4  steps/applications 

proveadalemma  —  [sd  pre:  (. order l\pc  =  at (orderl .switch) ) 

comod:  (all) 
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mod:  (orderl\pc,x,y) 
post:  (#x  =  -yjty  =  .x, 

#orderl\pc  =  exited (orderl. switch))] 


<sdvs.l>  quit 

Q,E*D.  The  proof  for  this  session  is  in  ‘sdvsproof’. 

State  Delta  Verification  System,  Version  13 
Restricted  to  authorized  users  only. 

Let  us  once  naore  open  the  proof  of  order!. sd, 

<sdvs.l>  init 

proof  narneQ:  <CR> 

State  Delta  Verification  System,  Version  13 

Restricted  to  authorized  users  only. 

<sdvs.l>  prove 

state  delta []  :  order Lsd 
proof  n  :  <  CR> 

open  —  [sd  pre:  (ada (order l.ada)) 
comod:  (all) 
mod:  (all) 

post :  (terminated (order 1) )] 

Complete  the  proof. 

The  go  command  is  similar  to  until  except  that 

•  in  the  application  of  state  deltas,  go  will  only  apply  a  state  delta  if  it  is  applicable 
and  at  the  top  of  the  usable  state  deltas  stack, 

•  until  requires  a  formula  parameter  whereas  go  does  not,  and 

•  go  also  instantiates  quantified  formulas  that  are  ‘‘applicable.” 

<sdvs.l.l>  go 

TmtilC]  :  #orderl\pc=at (order Lswitch) 
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apply  —  [sd  pre: 

comod: 

mod: 
post : 


apply  —  [sd  pre: 

comod : 

mod: 

post: 


apply  —  [sd  pre: 

comod : 

mod: 
post : 

apply  —  [sd  pre: 

comod : 

mod: 
post : 

apply  —  [sd  pre: 

comod : 

mod: 

post: 


apply  —  [sd  pre: 

comod: 
mod : 
post: 


(true) 

(all) 

(orderl\pc) 

(<adatr  procedure  order 1  is 
u,  ...  :  integer 

begin 
u  :=  3; 

end  orderl;>)] 


(true) 

(all) 

( order 1 \p  c , order 1 ) 

(alldisjoint(orderl, .orderl ,u,v, switched) , 
covering (#orderl, . order l,u,v, switched) , 
declaLre(u,type(integer))  , declare (v, type ( int eger ) ) , 
declare(switched,type(integer)) , 

<adatr  u,  ...  :  integer>)] 

(true) 

(all) 

(orderl\pc,u) 

(#u  =  3, 

<adatr  u  :=  3;>)] 

(true) 

(all) 

(orderl\pc,v) 

(#v  =  2, 

<adatr  v  :=  2;>)] 

(‘“(.u  le  .v)) 

(all) 

(  order l\pc) 

(<adatr  if  u  <=  v 

switched  :=  0; 
else  switch  (u,  ...); 

end  if;>)] 


(true) 

(all) 

(  order 1 \pc , order 1 ) 

(alldis joint (orderl, . orderl, x,y) , 
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covering (#orderl, .orderl ,x,y) , 

declare (x , type ( integer) ) , declare (y , type ( int  eger ) ) , 
<adatr  switch  (u,  ...)>)] 

apply  —  [sd  pre:  (true) 
comod:  (all) 
mod:  (order l\pc,x,y) 
post:  (#x  =  .u,#y  =  .v, 

<adatr  switch  (u,  ...)>)] 

apply  —  [sd  pre:  (true) 
comod:  (all) 
mod:  (order l\pc) 

post:  (#orderl\pc  =  at (order 1 , switch) , 

<adatr  switch  (u,  ...)>)] 

go  —  breakpoint  reached 

<sdvs.l.9>  usable 

u(l)  [sd  pre:  (true) 
comod:  (all) 

mod :  ( order 1 \p c , order 1 ) 
post:  (alldisjoint (order 1, . order 1, temp) , 
covering(#orderl, .orderl,temp) , 
declare(temp,type(integer)) , 

<adatr  temp  :  integer>)] 

No  usable  quantified  formulas. 

We  are  at  the  point  at  which  the  precondition  of  the  state  delta  created  by  the  cre- 
ateadalemma  command  is  true,  and  we  may  apply  the  lemma  using  the  invokeadalemma 
command.  This  is  the  only  point  where  we  may  use  the  lemma,  because  it  is  the  only  point 
at  which  the  program  counter  has  the  correct  value. 

<sdvs .  1 .9>  invokeadalemma 

Ada  lemma  name:  switch.lemma 

invokeadalemma  —  [sd  pre:  (.orderl\pc  =  at  (order  1  .switch)) 

comod:  (all) 

mod :  ( order 1 \p c , x , y ) 
post:  (#x  =  .y,#y  =  .x, 

#orderl\pc  =  exited(orderl .switch) , 

<adatr  return;  >)] 
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<sdvs .  1 . 10>  usable 


u(l) 


[sd  pre:  (.orderl\pc  =  exitedCorderl . switch)) 
comod:  (all) 

mod:  (order l\pc) 

post:  (<adatr  switch  (u,  ..♦)>)] 


u(2)  [sd  pre: 

comod : 

mod: 
post : 


(true) 

(all) 

(orderl\pc) 

(#orderl\pc  =  exited(orderl. switch) , 
<adatr  switch  (u,  .,*)>)] 


No  usable  quantified  formulas. 

<sdvs.l.lO>  apply 

sd/number [highest  applicable/once]:  <CR> 

apply  —  [sd  pre:  (.orderl\pc  =  exited(orderl  .switch)) 
comod:  (all) 

mod:  (orderl\pc) 

post:  (<adatr  switch  (u,  ...)>)] 

<sdvs.l.ll>  simp 
expression:  ,x 


2 

<sdvs.l.ll>  simp 
expression:  .y 


3 

<sdvs.l.ll>  simp 
expression:  .u 


3 

<sdvs.l.ll>  simp 
expression:  .v 


2 
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After  the  application  of  the  state  delta  created  by  the  lemma,  we  are  at  a  familiar  point  in 
the  proof;  we  assign  the  values  of  x  and  y  to  u  and  v  and  execute  to  the  end  using  until. 
Finally,  we  close  and  quit  the  proof,  then  pretty-print  it. 

<sdvs.l.ll>  apply 

sd/number [highest  applicable/once]:  <CR> 

apply  —  [sd  pre:  (true) 
comod:  (all) 
mod:  (orderl\pc,u,v) 
post:  (#u  =  .x,#v  =  .y, 

<adatr  switch  (u,  ...)>)] 


<sdvs.l.l2>  simp 
expression:  ,u 


2 

<sdvs.l.l2>  simp 
expression:  .v 


3 


<sdvs.l.l2>  until 

formula :  terminated( order  1 ) 


apply  —  [sd  pre: 

comod : 

mod: 
post : 


(true) 

(all) 

(order l\pc , order 1 , x , y ) 

(covering( .order l,#orderl,x,y) , undeclare (x,y) , 
<adatr  switch  (u,  ...)>)] 


apply  —  [sd  pre: 

comod : 

mod: 

post: 


(true) 

(all) 

(order l\pc , switched) 
(tswitched  -  1, 

<adatr  switched  :=  !;>)] 


^PPly  —  tsd  pre: 

comod : 

mod: 

post: 


(true) 

(all) 

(order l\pc , order! , u , v , switched) 
(covering( .order!, #orderl,u,v, switched) , 
undeclare (u,v, switched) , 

<adatr  u,  ...  :  integer>)] 
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apply  —  [sd  pre:  (true) 
comod:  (all) 

mod:  (orderl\pc) 
post :  (terminated(orderl) )] 

close  —  15  steps/applications 

<sdvs,2>  quit 

Q.E.D.  The  proof  for  this  session  is  in  ‘sdvsproof^. 

State  Delta  Verification  System,  Version  13 

Restricted  to  authorized  users  only^ 

<sdvs.l>  pp 
object:  proof 
proof  name :  sdvsproof 

proof  sdvsproof: 

prove  orderl.sd 
proof : 

(go  #orderl\pc  =  at (order 1 .switch) , 
invoke adalemma  switch. lemma, 
apply  u(l), 
apply  u(l), 

until  terminated(orderl)) 


7.1.3  Ada  input  and  output 

The  program  orderl  in  Examples  14  and  15  did  not  read  or  write  any  values  of  its  objects. 
Consequently,  the  only  specification  we  could  state  and  prove  about  the  program  wats  that  it 
terminated.  In  practice,  a  program  inputs  and  outputs  data,  and  a  specification  concerning 
it  is  usually  a  relation  of  the  output  to  the  input. 

Standard  input  and  output  buffers  are  part  of  the  predefined  environment  for  SDVS  Ada 
programs.  The  SDVS  Ada  translator  behaves  as  if  every  main  program  contains  a  package 
roughly  of  the  form 

package  STANDARD  is 
package  TEXT.IO  is 

stdin  :  array(l..?)  of  polymorphic; 
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stdin\ctr  :  integer  :=  1; 
stdout  :  arrayCl..?)  of  polymorphic; 
stdout\ctr  :  integer  :=  1; 
procedure  get(get\item  :  out  polymorphic)  is 
begin 

get\item  :=  stdin(stdin\ctr) ; 
stdin\ctr  :=  stdin\ctr+l; 
end  get; 

procedure  put(put\item  :  in  polymorphic)  is 
begin 

stdout (stdout\ctr)  :=  put\item; 
stdout\ctr  :=  stdout\ctr+l; 
end  put; 

The  reader  may  have  noticed  in  the  last  example  that  the  proveadalemma  command 
opened  the  proof  of  a  state  delta,  two  of  whose  fields  allude  to  the  objects  in  this  fictional 
“STANDARD”  package.  A  “get(u)”  or  a  “put(u)”  in  an  Ada  program  is  translated  as  if 
it  were  a  procedure  call  to  the  get  and  put  procedures  of  this  package. 

Our  next  example  concerns  an  Ada  program  with  both  input  and  output  and  a  state  delta 
assertion  of  the  correctness  of  its  output  with  respect  to  its  input. 


Example  16  Consider  the  program  order2  in  the  file  order2.ada: 


with  text.io;  use  text.io; 
with  integer^io;  use  integer^io; 

procedure  order2  is 
u,  V,  switched  :  integer; 
procedure  switch(x,  y  :  in  out  integer)  is 
temp  :  integer; 
begin 
temp:=  x; 
x:=  y; 
y:=  temp; 
end  switch; 
begin 
get(u)  ; 
get(v); 

if  u  <=  V  then 
switched  :=0; 
else 

switch (u,v) ; 
switched  :=  1; 
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end  if; 
put (u) ; 
put(v) ; 

put (switched) ; 
end  order2; 


and  the  state  delta  0Tder2.sd: 

[sd  pre:  (ada(order2.ada)) 
comod:  (all) 
mod:  (all) 

post:  (teminated(order2)  ,#stdout [1]  le  #stdout[2], 

(#stdout[3]  -Ok  #stdout[l]  =  .stdin[l])  k 
#stdout[2]  =  ,stdin[2]  or 
(#stdout[3]  -Ik  tstdoutCl]  =  .stdinC2])  k 
#stdout[2]  =  .stdin[l])] 

In  the  symbolic  execution  of  ada(order2.ada),  i.e.,  of  the  SDVS  translation  of  the  program 
order2,  u  and  v  will  be  initially  assigned  the  values  of  stdin[l]  and  stdin[2]^  respectively, 
and  towards  the  end  of  the  execution,  stdout[l]^  stdout[2]^  and  stdout[3]  will  be  assigned 
the  values  of  u,  u,  and  switched^  respectively.  It  should  be  obvious  from  the  program  that 
order2.sd  is  a  valid  state  delta  (provided  that  stdin[l]  and  stdin[2]  remain  constant  during 
the  execution). 

Here  is  a  proof  of  ord€r2.sd, 

<sdvs.l>  setflag 

flag  variable:  autoclose 
on  or  off [off] :  on 

setflag  autoclose  —  on 

<sdvs.2>  init 

proof  name  []  :  <  CR> 

State  Delta  Verification  System,  Version  13 
Restricted  to  authorized  users  only. 

<sdvs.l>  adatr 

path  name[tutorial/orderl.ada]  :  tutorial/ order 2 .ada 
Parsing  Stage  4  Ada  file  —  “ tutor ial/order2. ada" 
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Translating  Stage  4  Ada  file  —  "tutorial/order2.ada" 

<sdvs.2>  pp 
object:  ada 

file  name [order2 .  ada]  :  order2Mda 
alldis j  oint (order2 , , order2) 

covering ( . order2 , order2\pc , stdin , stdin\ctr , stdout , st dout \ctr) 
declare  (st din ,  type  (  array ,  1 ,  range  (stdin) ,  type  (polymorphic)  )  ) 
declare (stdin\ctr , type ( integer) ) 

.stdin\ctr  =  1 

declare(stdout, type (array, 1, range (stdout) , type (polymorphic))) 
declare (stdout\ctr , type (integer) ) 

.stdout\ctr  =  1 


<sdvs.2>  prove 

state  delta  []  :  order2,sd 
proof  []  :  <  CR> 


open 


[sd  pre:  (ada(order2. ada) ) 
comod:  (all) 
mod:  (all) 

post:  (terminated(order2)  ,#stdout  [1]  le  #stdout[2], 
(#stdout[3]  =  0  &  #stdout[l]  =  .  stdin  [1])  & 
#stdout[2]  =  .stdin [2]  or 
(#stdoutC3]  =  1  &  #stdout[l]  =  .stdin [2])  & 
#stdout[2]  =  .stdin[l])] 


Complete  the  proof. 
<sdvs.2.1>  usable 


u(l) 


[sd  pre: 
comod: 

mod: 
post : 


(true) 

(all) 

(order2\pc) 

(<adatr  procedure  order2  is 
u,  ...  :  integer 


begin 
get  (u) ; 

end  order2;>)] 
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No  usable  quantified  formulas. 

Notice  that  it  is  possible  to  pretty-print  (a  portion  of)  the  translation  of  the  Ada  program, 
and  that  the  parameter  given  to  the  pp  command  is  the  file  name  of  the  Ada  program,  not 
the  name  of  the  program  itself. 

We  now  proceed  as  before. 


<sdvs.2.1>  apply 
sd/number [highest 

apply  —  [sd  pre: 

comod : 

mod: 

post: 


<sdvs.2.2>  apply 
sd/number  [highest 

apply  —  [sd  pre: 

comod : 

mod: 
post : 


<sdvs,2.3>  usable 


applicable/once]  :  <CR> 

(true) 

(all) 

(order2\pc) 

(<adatr  procedure  order2  is 
u,  ...  :  integer 

begin 
get  (u); 

end  order2;>)] 


applicable/once]  :  <CR> 

(true) 

(all) 

(order2\pc , ordGr2) 

(alldisjoint(order2s .order2,u,v, switched) , 
covering (#order2, . or der2,u,v, switched) , 
declaire  (u , type ( integer)  )  , declare (v , type ( integer)  )  , 
declare (switched, type (integer)) , 

<adatr  u,  ...  :  integer>)] 


u(l)  [sd  pre:  (true) 
comod:  (all) 

mod :  (order2\pc , order2) 
post:  (alldisjoint (order2, .order2, get \ item) , 
covering (#order2, .order2,get\item) , 
declare (get \item , type (polymorphic) ) , 
<adatr  get  (u)>)] 


No  usable  quantified  formulas. 
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The  applicable  state  delta  ti(l)  is  the  beginning  of  the  translation  of  the  gGt(u)  statement. 
We  execute  through  its  full  translation. 


<sdvs.2,3>  apply 

sd/number [highest  applicable/once]:  6 


apply  —  [sd  pre: 

comod: 

mod: 

post: 


apply  —  [sd  pre: 

comod : 

mod: 
post : 

apply  —  [sd  pre: 

comod : 

mod: 
post : 


apply  —  [sd  pre: 

comod : 

mod: 
post : 

apply  —  [sd  pre: 

comod: 

mod: 

post: 


apply  —  [sd  pre: 

comod: 

mod: 

post: 


(true) 

(all) 

(ordGr2\pc , order2) 

(alldisjoint(order2, .order2,get\item) , 
covering (#order2, .order2,get\item) , 
declare (get\it em, type (polymorphic) ) , 
<adatr  get  (u)>)] 

(true) 

(all) 

(order2\pc) 

(#order2\pc  =  at(standard.textJ.o.get) , 
<adatr  get  (u)>)] 

(.order2\pc  =  at  (standard,  text  J.o.  get)) 
(all) 

(order2\pc , stdin\ctr ,get\item) 

(#get\item  =  .stdin[.stdin\ctr] , 

#stdin\ctr  =  .stdin\ctr  +  1, 

#order2\pc  =  exited(standard.text_io .get)  , 
<adatr  null;>)] 

(true) 

(all) 

(order2\pc,u) 

(#u  =  .get\item, 

<adatr  get  (u)>)] 

(true) 

(all) 

(order2\pc , order2  >  get \it em) 

( covering ( .order2,#order2, get \item) , 
undeclare (get\item) , 

<adatr  get  (u)>)] 

(true) 

(all) 

(order2\pc , order2) 

(alldisjoint(order2, .order2,get\item!2) , 
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cover ing(#order2, .order2,get\item!2) , 
declare (get\item! 2 ,t3^e (polymorphic) ) , 
<adatr  get  (v)>)] 


<sdvs.2.9>  usable 

u(l)  [sd  pre:  (true) 
comod:  (all) 

mod:  (order2\pc) 

post:  (#order2\pc  =  at  (standard. text_io  .get)  , 
<adatr  get  (v)>)] 


No  usable  quantified  formulas. 

We  are  now  at  the  beginning  of  the  translation  of  the  get(v)  statement  of  the  program. 
Having  already  seen  the  flow  of  the  first  get,  we  quickly  proceed  to  the  “if  u  <=  v  then 
else  . . .  end  if”  statement,  using  go,  which  will  stop  at  that  point  because  there 
will  be  no  applicable  state  deltas  at  the  top  of  the  usable  stack  to  apply. 


<sdvs.2.9>  go 
untilD:  <CR> 

apply  —  [sd  pre: 

comod : 

mod: 
post : 

apply  —  [sd  pre: 

comod : 

mod: 

post: 


apply  —  [sd  pre: 

comod : 

mod: 
post : 

apply  —  [sd  pre: 

comod: 


(time) 

(all) 

(order2\pc) 

(#order2\pc  =  at  (standard.  textJ.o.  get)  , 
<adatr  get  (v)>)] 

(.order2\pc  =  at  (standard.  text_io.  get)) 
(all) 

(order2\pc , stdin\ctr ,get \item ! 2) 
(#get\item!2  =  .stdin[.stdin\ctr] , 
#stdin\ctr  =  .stdin\ctr  +  1, 

#order2\pc  =  exited(standaTd.textJ.o.get)  , 
<adatr  null;>)] 

(true) 

(all) 

(order2\pc,v) 

(#v  =  .get\item!2, 

<adatr  get  (v)>)] 

(true) 

(all) 


130 


mod :  (ordGr2\pc , order2 , get\it em ! 2) 
post:  ( cover ing (, order2, #order2, get \ item! 2) , 
xmdeclare(get\itGml2) , 

<adatr  get  (v)>)] 

go  —  no  more  declairations  or  statements 

<sdvs .  2 . 13>  usable 

u(l)  [sd  pre:  (“"(.u  le  .v)) 
comod:  (all) 

mod:  (order2\pc) 
post:  (<adatr  if  u  <=  v 

switched  :=  0; 
else  switch  (u, 

end  if;>)] 

u(2)  [sd  pre:  (.u  le  .v) 
comod:  (all) 

mod:  (order2\pc) 
post:  (<adatr  if  u  <=  v 

switched  :=  0; 
else  switch  (u,  ..,); 

end  if;>)3 

No  usable  quantified  formulas. 

<sdvs .  2 . 13>  applicable 

The  reason  that  neither  of  the  two  usable  state  deltas  is  applicable  is  that  neither  precon¬ 
dition  is  necessarily  true.  We  must  use  the  cases  command  to  consider  each  possibility. 

<sdvs.2.13>  cases 

case  predicate:  ,u  le  ,v 

cases  —  .u  le  .v 

open  —  [sd  pre:  (.u  le  .v) 
comod:  (all) 
mod:  (all) 

post:  (terminated (order2) ,#stdout[l]  le  #stdout[2], 
(#stdout[3]  =  0  &  #stdout[l]  =  stdin\232)  & 
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#stdout[2]  =  stdin\234  or 
(#stdoutC3]  =  1  k  #stdout[l]  =  stdin\234)  k 
#stdout[2]  =  stdin\232)] 

The  proof  of  the  first  case,  in  which  u  <  v,  has  been  opened  by  the  system.  The  goal 
remains  the  same.  We  must  execute  until  we  reach  the  goal,  at  which  point  SDVS  will  open 
the  proof  of  the  second  case.  We  execute  to  the  put(u)  statement, 

<sdvs .  2 . 13 . 1 . 1>  apply 

sd/number [highest  applicable/once] :  2 

apply  —  [sd  pre:  (.u  le  ,v) 
comod:  (all) 

mod:  (order2\pc) 
post:  (<adatr  if  u  <=  v 

switched  :=  0; 
else  switch  (u, 

end  if;>)] 

apply  —  [sd  pre:  (true) 
comod:  (all) 

mod :  (order2\pc , switched) 
post:  (tswitched  =  0, 

<adatr  switched  :=  0;>)] 

<sdvs .  2 . 13 . 1 . 3>  usable 

u(l)  [sd  pre:  (true) 
comod:  (all) 

mod :  (order2\pc , order2) 
post:  (alldisjoint (order2, .order2,put\item) , 
covering (#order2, .order2, put \ item) , 
declare(put\item,type(pol3rmorphic))  , 

<adatr  put  (u)>)] 

No  usable  quantified  formulas. 

The  put(u)  statement  is  translated  in  a  manner  roughly  akin  to  a  procedure  call  to  put. 
We  now  proceed  through  five  applications  to  the  next  statement  of  the  program  order2. 

<sdvs .  2 . 13 . 1 . 3>  apply 

sd/number [highest  applicable/once] :  5 
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apply  —  [sd  pre: 

comod : 

mod: 
post : 


apply  —  [sd  pre: 

comod: 

mod: 
post : 


apply  —  [sd  pre: 

comod : 
mod: 
post: 

apply  —  [sd  pre: 

comod : 

mod: 
post : 


apply  —  [sd  pre: 

comod : 

mod: 
post : 


<sdvs .  2 . 13 . 1 . 8>  usable 


(true) 

(all) 

(order2\pc , order2) 

(alldisjoint(order2, .order2,put\item) , 
covering ( tor der2, .order2,put\item) , 
declatre  (put\item ,  type  (polymorphic)  )  , 
<adatr  put  (u)>)] 

(true) 

(all) 

(ordGr2\pc ,put\item) 

(#put\item  =  ,u, 

<adatr  put  (u)>)] 

(true) 

(all) 

(order2\pc) 

(#order2\pc  =  at  (standard,  text  J.o.  put)  , 
<adatr  put  (u)>)] 

(,order2\pc  =  at(standard.text_io.put)) 
(all) 

(order2\pc  jStdout [. stdout\ctr] ,stdout\ctr) 
(tstdout [.stdout\ctr]  =  .put\item, 
#stdout\ctr  =  .stdout\ctr  +  1, 

#order2\pc  =  exited(standaxd. text J.o. put)  , 
<adatr  null;>)] 

(true) 

(all) 

(order2\pc , order2 ,put\item) 

(covering( .order2,#order2,put\item) , 
undeclare (put\item) , 

<adatr  put  (u)>)] 


u(l) 


[sd  pre: 
comod : 

mod: 

post: 


(true) 

(all) 

(order2\pc , order2) 

(alldisjoint (order2, .order2,put\item!2) , 
covering (#order2, .order2,put\item!2) , 
declare(put\item!2,type(polymorphic)) , 
<adatr  put  (v)>)] 
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No  usable  quantified  formulas. 


We  are  now  at  the  beginning  of  the  next  two  statements,  put(v)  and  put  (switched).  We 
execute  through  both,  to  the  end  of  the  first  case,  using  the  go  command. 


<sdvs .  2 . 13 . 1 . 8>  go 
until  n  : 

apply  —  [sd  pre: 

comod : 

mod: 

post: 


apply  —  [sd  pre: 

comod : 
mod : 
post : 

apply  —  [sd  pre: 

comod: 

mod: 
post : 

apply  —  [sd  pre: 

comod : 

mod: 

post: 


apply  —  [sd  pre: 

comod : 

mod: 
post : 


apply  —  [sd  pre: 


(true) 

(all) 

(order2\pc , order2) 

(alldisjoint(order2, .order2,put\item!2) , 
covering (#order2, .order2,put\item!2) , 
declare(put\item!2,type(polymorphic) ) , 
<adatr  put  (v)>)] 

(true) 

(all) 

(order2\pc ,put\item ! 2) 

(#put\item!2  =  .v, 

<adatr  put  (v)>)] 

(true) 

(all) 

(order2\pc) 

(#order2\pc  =  at  (standard.  text_io. put)  , 
<adatr  put  (v)>)] 

(.order2\pc  =  at  (standard,  text  J.o. put)) 
(all) 

(order2\pc , stdout [ . stdout\ctr] , stdout\ctr) 
(tstdout [.stdout\ctr]  =  .put\item!2, 
#stdout\ctr  =  .stdout\ctr  +  1, 

#order2\pc  =  exited(standard. text J.o. put)  , 
<adatr  null;>)] 

(true) 

(all) 

( or der 2 \p  c , or der 2 , put \ i t em ! 2 ) 

(covGring( .order2,#ordGr2,put\item!2) , 
undeclare (put\itGm! 2) , 

<adatr  put  (v)>)] 

(true) 
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comod: 

mod: 
post : 


apply  —  [sd  pre: 

comod: 

mod: 

post: 


apply  —  [sd  pre: 

comod : 

mod: 

post: 


apply  —  [sd  pre: 

comod : 

mod: 
post : 


apply  —  [sd  pre: 

comod : 
mod: 
post: 


apply  —  [sd  pre: 

comod : 

mod: 

post: 


apply  —  [sd  pre: 

comod: 

mod: 

post: 


(all) 

(order2\pc , order 2) 

(alldisjoint (order2, .order2,put\item!3) , 
covering (#order2, .order2,put\item!3) , 
declare (put \item ! 3 , type (polymorphic) ) , 
<adatr  put  (switched) >)] 

(true) 

(all) 

(order2\pc ,put\iteml 3) 

(#put\item!3  =  .switched, 

<adatr  put  (switched) >)] 

(true) 

(all) 

(order2\pc) 

(#order2\pc  =  at  (standard,  t  ext  JLo.  put )  , 
<adatr  put  (switched) >)] 

(.order2\pc  =  at(standard.textJ.o.put)) 
(all) 

(order2\pc , stdout [ , stdout\ctr] ,stdout\ctr) 
(#stdout [.stdout\ctr]  =  .put\item!3, 
#stdout\ctr  =  .stdout\ctr  +  1, 

#order2\pc  =  exit ed(standaxd.text_io, put )  , 
<adatr  null;>)] 

(true) 

(all) 

(order2\pc , order 2 ,put\item! 3) 

(covering ( .order2,#order2,put\item!3) , 
undeclare (put\item! 3) , 

<adatr  put  (switched) >)] 

(true) 

(all) 

(order2\pc , order2 ,u , v , switched) 

(covering ( .order2,#order2,u,v, switched) , 
undeclare (u , v , switched) , 

<adatr  u,  ...  :  integer>)] 

(true) 

(all) 

(order2\pc) 

( t  erminat  ed ( or der 2 ) )  ] 
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close  —  19  steps/applications 

open  —  [sd  pre:  (^(.u  le  .v)) 
comod:  (all) 
mod:  (all) 

post:  (terminated (order2) ,#stdout [1]  le  #stdout[2], 
(#stdout[3]  =  0  k  #stdout[l]  =  stdin\232)  k 
#stdout[2]  =  stdin\234  or 
(#stdout[3]  =  1  &  #stdout[l]  =  stdin\234)  k 
#stdout[2]  =  stdin\232)] 

Complete  the  proof. 

The  system  has  opened  the  proof  of  the  second  case  (u  >  v).  Since  this  case  is  similar  to  the 
first,  we  use  go  to  reach  one  of  our  goals,  terminated(order2).  Once  this  goal  is  reached, 
the  other  goals  will  have  been  achieved  as  well.  No  other  commands  are  necessary  for  this 
simple  proof. 

<sdvs .2. 13.2. 1>  go 

until  []  :  terminated  (order  2) 

apply  —  [sd  pre:  ("'(.u  le  .v)) 
comod:  (all) 

mod:  (order2\pc) 
post:  (<adatr  if  u  <=  v 

switched  :*  0; 
else  switch  (u,  . . . ) ; 

end  if;>)] 

apply  —  [sd  pre:  (true) 
comod:  (all) 

mod :  (order2\pc , order2) 
post:  (alldisjoint (order2, .order2,x,y) , 
covering(#order2, .order2,x,y) , 
declare(x, type (integer)) , 
declare(y, type (integer)) , 

<adatr  switch  (u,  ...)>)] 

apply  —  [sd  pre:  (true) 
comod:  (all) 

mod :  ( order2\pc , x , y ) 
post:  (#x  =  .u,ty  =  .v, 

<adatr  switch  (u,  ...)>)] 
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apply  —  [sd  pre: 

comod: 

mod: 

post: 


(true) 

(all) 

(order2\pc) 

(#order2\pc  =  at(order2. switch) , 
<adatr  switch  (u,  ...)>)] 


apply  —  [sd  pre: 

comod: 

mod: 

post: 


(true) 

(all) 

(order2\pc , order2) 

(alldisjoint (order2, .order2,temp) , 
covering (#order2, .order2,temp) , 
declare (temp , type (integer) ) , 
<adatr  temp  :  integer>)] 


apply  —  [sd  pre: 

comod: 

mod: 

post: 


(true) 

(all) 

(order2\pc,t  emp ) 

(#temp  =  .X, 

<adatr  temp  :=  x;>)] 


apply  —  [sd  pre: 

comod: 

mod: 
post : 


(true) 

(all) 

(order2\pc,x) 

(#x  =  .y, 

<adatr  x  :=  y;>)] 


apply  —  [sd  pre: 

comod: 

mod: 
post : 


(true) 

(all) 

(order2\pc,y) 

(#y  =  .temp, 

<adatr  y  :=  temp;>)] 


apply  —  [sd  pre: 

comod  : 

mod: 

post: 


(true) 

(all) 

(order2\pc , order2 ,temp) 

(covering ( ,order2,#order2, temp) , undeclare (temp) , 
<adatr  temp  :  integer>)] 


apply  —  [sd  pre: 

comod: 

mod: 

post: 


(true) 

(all) 

(order2\pc) 

(#order2\pc  =  exited(order2. switch) , 
<adatr  switch  (u,  ...)>)] 
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apply  —  [sd  pre: 

comod : 

mod: 
post : 


(true) 

(all) 

(order2\pc,u,v) 

(#u  =  .x,#v  =  .y, 
<adatr  switch  (u, 


..,)>)] 


apply  —  [sd  pre: 

comod: 

mod: 

post: 


(true) 

(all) 

(order2\pc ,order2 ,x ,y) 

( cover ing ( .order2,#order2,x,y) , undeclare (x,y) , 
<adatr  switch  (u,  ...)>)] 


apply  —  [sd  pre: 

comod : 

mod: 

post: 


(tmie) 

(all) 

(order2\pc , switched) 
(#switched  1, 

<adatr  switched  :=  !;>)] 


apply  —  [sd  pre: 

comod : 

mod: 
post : 


apply  —  [sd  pre: 

comod : 

mod: 
post : 

apply  —  [sd  pre: 

comod : 
mod: 
post : 

apply  —  [sd  pre: 

comod : 

mod: 
post : 


(true) 

(all) 

(order2\pc , order2) 

(alldisjoint (order2, . order 2, put \ item) , 
cover ing(#order2, .order2,put\item) , 
declare (put\item, type (polymorphic)) , 
<adatr  put  (u)>)] 

(true) 

(all) 

(order2\pc ,put\item) 

(#put\item  =  .u, 

<adatr  put  (u)>)3 

(true) 

(all) 

(order2\pc) 

(#order2\pc  =  at  ( standard. text JLo .put)  , 

<  adat r  put  (u)  >  )  ] 

(.order2\pc  =  at(standard.text-Lo.put)) 
(all) 

(order2\pc , stdout  [ . stdout\ctr] , stdout \ctr ) 
(tstdout [.stdout\ctr]  =  .put\item, 
#stdout\ctr  =  .stdout\ctr  +  1, 

#order2\pc  =  exited(standard.text-lo.put) , 
<adatr  null;>)] 
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apply  —  [sd  pre: 

comod: 

mod: 
post : 


apply  —  [sd  pre: 

comod: 

mod: 
post  : 


apply  —  [sd  pre: 

comod: 

mod: 

post: 

apply  —  [sd  pre: 

comod: 

mod: 

post: 

apply  —  [sd  pre: 

comod: 

mod: 

post: 


apply  —  [sd  pre: 

comod: 

mod: 

post: 


apply  —  [sd  pre: 

comod: 


(true) 

(all) 

(order2\pc,order2,put\item) 

(covering( .order2,#order2,put\item) , 
undeclaxe(put\item) , 

<adatr  put  (u)>)] 

(true) 

(all) 

(order2\pc , order2) 

(alldisjoint(order2, .order2,put\item!2) , 
covering(#order2, .order2,put\itGm!2) , 
declare  (put\item !  2 , type  (pol3niiorphic) )  , 
<adatr  put  (v)>)] 

(true) 

(all) 

(order2\pc ,put\item ! 2) 

(#put\item!2  =  ,v, 

<adatr  put  (v)>)] 

(true) 

(all) 

(order2\pc) 

(#order2\pc  =  at  (standard,  text  J.o  .put)  , 
<adatr  put  (v)>)] 

(.order2\pc  =  at  (standard,  text^o  .put)  ) 
(all) 

(order2\pc , stdout [ . stdout\ctr] , stdout \ctr) 
(#stdout [ . stdout\ctr]  =  . put \ item! 2 , 
#stdout\ctr  =  .stdout\ctr  +  1, 

#order2\pc  =  exitGd(standard.text_io.put)  , 
<adatr  null;>)] 

(true) 

(all) 

(order2\pc , order2 , put \ item! 2) 

(covering( .order2,#order2,put\item!2) , 
undeclare (put\item! 2) , 

<adatr  put  (v)>)] 

(true) 

(all) 
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mod :  (order2\pc , order2) 

post:  (alldisjoint(order2, .order2,put\item! 3) , 
covering(#order2, ♦order2,put\item!3) , 
declare (put \it em ! 3 , type (pol3morphic) ) , 
<adatr  put  (switched)  >)] 

apply  —  [sd  pre:  (true) 
comod:  (all) 

mod:  (order2\pc,put\item!3) 
post:  (#put\item!3  =  .switched, 

<adatr  put  (switched) >)] 

apply  —  [sd  pre:  (true) 
comod:  (all) 
mod:  (order2\pc) 

post:  (#order2\pc  =  at  (standard.  text_io. put)  , 
<adatr  put  (switched)  >)] 

apply  —  [sd  pre:  (.order2\pc  =  at  (standard,  text  _io.  put)) 
comod:  (all) 

mod:  (order2\pc,stdout [.stdout\ctr] ,stdout\ctr) 
post:  (tstdout [.stdout\ctr]  =  .put\item!3, 
#stdout\ctr  =  .stdout\ctr  +  1, 

#order2\pc  =  exited(standard.text_io.put) , 
<adatr  null;>)] 

apply  —  [sd  pre:  (true) 
comod:  (all) 

mod :  (order2\pc , order2 , put \ item ! 3) 
post:  (covering( .order2,#order2,put\item!3) , 
undeclare (put\it^! 3)  , 

<adatr  put  (switched)  >)] 

apply  —  [sd  pre:  (true) 
comod:  (all) 

mod :  (order2\pc , order2 ,u , v , switched) 
post :  ( covering ( . order2 , #order2 ,u , v , swit ched) , 
undeclaLre(u,v, switched) , 

<adatr  u,  ...  :  integer>)] 

apply  —  [sd  pre:  (true) 
comod:  (all) 

mod:  (order2\pc) 
post :  (teiioiinated(order2)  )] 
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close  —  30  steps/applications 

join  —  [sd  pre:  (true) 
comod:  (all) 
mod:  (all) 

post:  (terminated(order2) ,#stdout [1]  le  #stdout[2], 
(#stdout[3]  =  0  &  #stdout[l]  =  stdin\232)  & 
#stdout[2]  =  stdin\234  or 
(#stdout[3]  =  1  &  tstdoutCl]  =  stdin\234)  & 
#stdoiit[2]  =  stdin\232)] 

close  —  13  steps/applications 

<sdvs.3>  quit 

Q.E.D,  The  proof  for  this  session  is  in  ^sdvsproof’. 

State  Delta  Verification  System,  Version  13 

Restricted  to  authorized  users  only. 

<sdvs.l>  pp 
object:  proof 
proof  name :  sdvsproof 

proof  sdvsproof: 

(adatr  *'tutorial/order2 . ada" , 
prove  order2.sd 
proof : 

(apply  u(l), 
apply  u(l), 
apply  6, 

go. 

cases  .u  le  .v 
then  proof: 

(apply  7, 
go  "(#u  le  #v)) 

else  proof:  go  terminated(order2))) 


The  first  close  is  the  “close”  of  the  second  case,  and  the  second  close  is  the  “close”  of  the 
proof  of  orderl.sd. 
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7.1.4  Ada  loops 


The  Ada  programs  in  the  first  three  Ada  examples  did  not  include  a  loop.  A  proof  of 
correctness  of  an  Ada  program  with  a  loop  will  almost  always  include  the  induct  command, 
which  we  illustrate  in  our  last  example. 


Example  17  Consider  the  Ada  program  add  in  the  file  add.ada. 

with  text^io;  use  text.io; 
with  integer.io;  use  integer.io; 
procedure  add  is 

i,s,x,y  :  integer; 
begin 
get(x) ; 
get(y) ; 
i:=  0; 
s:=  x; 

while  i  <  y  loop 
i:=  i+1; 
s:=  s+1; 
end  loop; 
put(s) ; 
end  add; 

If  the  input  for  the  object  y  is  nonnegative,  then  the  output  of  s  is  the  sum  of  x  and  y. 
This  is  the  assertion  of  the  state  delta  add.sd: 

[sd  pre:  (ada(add.ada) , .stdin[2]  ge  0) 
comod:  (all) 
mod:  (all) 

post:  (terminat6d(add) ,#stdout [1]  =  .stdinCl]  ^  .stdin[2])] 

We  open  the  proof  of  add.sd  and  execute  to  the  “while”  loop  using  the  go  command  with 
no  parameters. 

<sdvs.l>  adatr 

path  naiae[tutorial/order2.ada]  :  tutorial/add.ada 
Parsing  Stage  4  Ada  file  —  "tutorial/add.ada" 

Translating  Stage  4  Ada  file  —  "tutorial/add.ada" 

<sdvs.2>  setflag 
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flag  variable:  autoclose 
on  or  off  [off] :  on 

setflag  autoclose  —  on 

<sdvs.3>  init 

proof  name[]:  <CR> 

State  Delta  Verification  System,  Version  13 

Restricted  to  authorized  users  only. 

<sdvs.l>  prove 

state  deltaD  :  add.sd 
proof  []  :  <  CR> 

open  —  [sd  pre:  (ada(add.ada) , .stdin[2]  ge  0) 
comod:  (all) 
mod:  (all) 

post :  (terminated (add) , 

#stdout[l]  =  .stdinEl]  +  .stdin[2])] 

Complete  the  proof. 

<sdvs.l.l>  go 
until[]:  <CR> 

apply  —  [sd  pre:  (true) 
comod:  (all) 
mod:  (add\pc) 

post:  (<adatr  procedure  add  is 

i ,  ...  :  integer 
begin 
get  (x); 

end  add;>)] 

apply  —  [sd  pre:  (true) 
comod:  (all) 

mod:  (add\pc,add) 

post:  (alldisjoint (add, .add,i,s,x,y) , 
covering (#add, .add,i,s,x,y) , 

declare(i,type(integer)) , declare (s, type (integer)) , 
declare (x, type (integer)) , declare (y,type(integer)) , 
<adatr  i,  ...  :  integer>)] 


apply  —  [sd  pre:  (true) 
comod:  (all) 
mod:  (add\pc,add) 

post:  (alldis joint (add, .add,get\item) , 
covering (#add, . add, get \ item) , 
declare (get\item,type(polymorphic)) , 

<adatr  get  (x)>)] 

apply  —  [sd  pre:  (true) 
comod:  (all) 
mod:  (add\pc) 

post:  (#add\pc  =  at(standard.textJ.o*get) , 

<adatr  get  (x)>)] 

apply  --  [sd  pre:  (.add\pc  =  at  (standard,  t  ext  J.o.  get)) 
comod:  (all) 

mod:  (add\pc,stdin\ctr,get\item) 
post:  (#get\item  =  .stdin[.stdin\ctr] , 

#stdin\ctr  =  .stdin\ctr  +  1, 

#add\pc  =  exited(standard.text  J.o.get)  , 

<adatr  null;>)] 

apply  —  [sd  pre:  (true) 
comod:  (all) 
mod:  (add\pc,x) 
post:  (#x  =  .get\item, 

<adatr  get  (x)>)] 

apply  —  [sd  pre:  (true) 
comod:  (all) 

mod :  ( add\p c , add , get \ it  em) 

post:  (covering(.add,#add,get\item)  ,  unde  dare  (get  \  item)  , 
<adatr  get  (x)>)] 

apply  —  [sd  pre:  (true) 
comod:  (all) 

mod:  (add\pc,add) 

post:  (alldisjoint (add, .add,get\item!2) , 
covering (#add, .add,get\item!2) , 
declare (get\it em! 2 , type (polymorphic) ) , 

<adatr  get  (y)>)] 


apply  —  [sd  pre:  (true) 
comod:  (all) 


mod: 

post: 


apply  —  [sd  pre: 

comod : 

mod: 

post: 


apply  —  [sd  pre: 

comod: 

mod: 

post: 

apply  —  [sd  pre: 

comod : 

mod: 

post: 


apply  —  [sd  pre: 

comod : 

mod: 

post: 

apply  —  [sd  pre: 

comod : 

mod: 

post: 


(add\pc) 

(#add\pc  =  at  (standard. text  J.O. get) , 
<adatr  get  (y)>)] 

(.add\pc  =  at(standard.text_io,get)) 
(all) 

(add\pc,stdin\ctr,get\item[2) 
(#get\item!2  =  .stdin[.stdin\ctr] , 
#stdin\ctr  =  .stdin\ctr  +  1, 

#add\pc  =  exited(standard. text J.O. get) , 
<adatr  null;>)] 

(true) 

(all) 

(add\pc,y) 

(#y  =  .get\item!2, 

<adatr  get  (y)>)3 

(true) 

(all) 

( add\p  c , add , get \ it  em ! 2 ) 

(covering(  .add,#add,get\item!2)  , 
undeclare  (get \item!  2)  , 

<adatr  get  (y)>)] 

(true) 

(all) 

(add\pc,i) 

(#i  =  0, 

<adatr  i  :=  0;>)] 

(true) 

(all) 

(add\pc,s) 

(#s  =  .x, 

<adatr  s  :=  x;>)] 


go  —  no  more  declarations  or  statements 
<sdvs.l.l5>  simp 

expression:  ,x=,stdin[l]  and  .y=.stdin[2]  and  a=0  and  ,s=,x  and  .y  ge  0 
true 


<sdvs .  1 . 15>  usable 
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u(l) 


[sd  pre:  It  ,y)) 

comod:  (all) 
mod:  (add\pc) 

post:  (<adatr  while  i  <  y 


i  :=  i  +  1; 
end  loop;>)] 


u(2) 


[sd  pre:  (.i  It  .y) 
comod:  (all) 
mod:  (add\pc) 

post:  (<adatr  while  i  <  y 


i  :=  i  +  1; 
end  loop;>)] 


No  usable  quantified  formulas . 

<sdvs .  1 . 15>  applicable 

The  translation  of  the  ^‘while”  loop  is  the  conjunction  of  the  two  usable  state  deltas,  u(l) 
and  u{2).  But  neither  one  is  applicable,  because  neither  precondition  is  necessarily  true. 
To  proceed,  we  must  use  the  cases  command.  The  simpler  of  the  two  cases  is  that  (i  ^  y)^ 
because,  in  this  case,  the  value  of  y  is  0  and  s  =  x  +  Thus,  we  enter  this  predicate  to  the 
cases  command  and  go  until  terminated(add)  is  true. 

<sdvs.l.l5>  cases 

case  predicate:  ^(.i  It  .y) 

cases  —  "(.i  It  .y) 

open  —  [sd  pre:  (““(.i  It  .y)) 
comod:  (all) 
mod:  (all) 

post :  (terminated (add) , 

#stdout[l]  =  stdin\354  +  stdin\352)] 

<  sdvs .  1 . 15 . 1 . 1  >  applicable 

u(l)  [sd  pre:  (^(.i  It  .y)) 
comod:  (all) 
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mod:  (add\pc) 

post:  (<adatr  while  i  <  y 

i  :=  i  +  1; 
end  loop;>)] 


<sdvs ,  1 . 15 . 1 . 1>  go 

until  []  :  terminated( add) 


apply  —  [sd  pre: 

comod: 

mod: 

post: 


apply  —  [sd  pre: 

comod : 

mod: 

post: 


apply  —  [sd  pre: 

comod : 

mod: 
post : 

apply  —  [sd  pre: 

comod : 

mod: 

post: 

apply  —  [sd  pre: 

comod: 

mod: 

post: 


(-(•i  It  .y)) 

(all) 

(add\pc) 

(<adatr  while  i  <  y 

i  :=  i  +  1; 
end  loop;>)] 


(true) 

(all) 

(add\pc,add) 

(alldisjoint(add, . add, put \ item) , 
covering (#add, . add, put \ item) , 
declare (put\item, type (polymorphic) ) , 
<adatr  put  (s)>)] 

(true) 

(all) 

(  add\p  c ,  put  \  it  em  ) 

(#put\item  =  .s, 

<adatr  put  (s)>)] 

(true) 

(all) 

(add\pc) 

(#add\pc  =  at(standard.text J.o.put)  , 
<adatr  put  (s)>)] 

(.add\pc  =  at(standard.text_io.put)) 
(all) 

(add\pc , stdout [ . stdout \ctr] , stdout \ctr) 
(#stdout [.stdout\ctr]  =  .put\item, 
#stdout\ctr  =  ,stdout\ctr  +  1, 

#add\pc  =  exited(standard.textJ.o.put) , 
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<adatr  null;>)] 


apply  —  [sd  pre:  (true) 
comod:  (all) 

mod :  ( add\p c , add , put \ it  em) 
post:  ( covering ( . add , #add , put \ it  em) , 
undeclare  (put \it^)  , 

<adatr  put  (s)>)] 

apply  —  [sd  pre:  (true) 
comod:  (all) 

mod:  (add\pc,add,i,s,x,y) 

post:  (covering( ,add,#add,i,s,x,y) , undeclare (i,s,x,y) , 
<adatr  i,  :  integer>)] 

apply  —  [sd  pre:  (true) 
comod:  (all) 
mod:  (add\pc) 
post :  (terminated(add) )] 

close  —  8  steps/applications 

open  —  [sd  pre:  ("((''(.i  It  ,y)))) 
comod:  (all) 
mod:  (all) 

post :  (terminated (add) , 

#stdout[l]  =  stdin\354  +  stdin\3S2)] 

Complete  the  proof. 

<sdvs .  1 . 15 . 2 . 1>  usable 

u(l)  [sd  pre:  (''(.i  It  .y)) 
comod:  (all) 
mod:  (all) 

post:  (terminated(add) ,#stdout [1]  =  stdin\354  +  stdin\3S2)] 

u(2)  [sd  pre:  ("(.i  It  .y)) 
comod:  (all) 
mod:  (add\pc) 

post:  (<adatr  while  i  <  y 

i  :=  i  -»■  1; 
end  loop;>)] 
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u(3)  [sd  pre:  (.i  It  .y) 
comod:  (all) 
mod:  (add\pc) 

post:  (<adatr  while  i  <  y 


i  :=  i  +  1 


end  loop;>)] 


No  usable  quantified  formulas. 

<sdvs.l.l5.2.1>  applicable 

u(3)  [sd  pre:  (.i  It  .y) 
comod:  (all) 
mod:  (add\pc) 

post:  (<adatr  while  i  <  y 

i  :=  i  +  1; 
end  loop;>)] 

<sdvs .  1 . 16 , 2 . 1>  letsd 
name :  loopsdl 
state  delta □  :  u 
number :  2 

letsd  —  loopsdl  =  u(2) 

<sdvs ,  1 . 15 . 2 . 2>  letsd 
name :  loopsd2 
state  delta[]  :  u 
number:  3 

letsd  —  loopsd2  =  u(3) 

<sdvs.l.l5.2.3>  pp 
object:  sd 

state  delta  name:  loopsdl 

[sd  pre:  ("(.i  It  .y)) 
comod:  (all) 
mod:  (add\pc) 
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post:  (<adatr  while  i  <  y 


i  :=  i  +  1; 
end  loop;>)] 

The  proof  of  the  first  case  has  closed  and  the  proof  of  the  second  has  opened.  The  first 
usable  state  delta  asserts  that  the  first  case  leads  to  the  goal.  The  conjunction  of  the  second 
and  third  usable  state  deltas  is  the  translation  of  the  ‘Vhile”  loop.  Notice  that  we  have 
conveniently  used  the  letsd  command  to  label  the  two  components  of  the  loop.  Only  the 
third  state  delta,  loopsd2^  is  applicable. 

As  in  Example  8  we  have  to  induct  on  the  counter  i,  from  A  =  0  to  A  =  .y  with  a 
comodification  list  of  x  and  y.  But  in  this  case,  the  induction  invariant  is  trickier.  It  can 
not  simply  be  .s  =  .x  +  .z,  because  at  the  step  case  proof  there  will  be  no  state  deltas  to 
apply,  since  both  loopsdl  and  loopsd2  have  all  in  their  comodification  lists.  In  fact,  at 
the  step  case  proof,  loopsd2  must  be  applicable  so  that  we  may  execute  through  the  loop, 
i.e.,  increment  i  and  s.  So  we  must  add  it  to  the  induction  invariant.  However,  even  this 
addition  will  not  suffice.  The  addition  of  loopsd2  to  the  invariant  will  allow  us  to  complete 
the  induction.  But  after  the  ‘‘close”  of  the  induction,  .s  =  .x  +  ,y  and  loopsd2  will  both 
be  true,  but  loopsd2  will  not  be  applicable,  because  its  precondition  will  be  false.  If  at  the 
end  of  the  induction  proof,  we  also  had  loopsdl  as  a  usable  state  delta,  then  we  would  be 
able  to  proceed  with  the  proof,  because  it  would  be  applicable.  Thus  the  invariant  of  the 
induction  proof  must  also  include  loopsdl.  Finally,  the  modification  list  parameter  of  the 
induction  command  must  have  add\pc  as  well  as  i  and  s, 

<sdvs.  1. 15.2.3>  induct 

induction  expression:  A 
from :  0 

to:  .y 

invariant  listD  :  ,s=,x-h.iJormula(loopsdl)Jormula(loopsd2) 
comodification  listD: 

modification  listQ:  i^s^add\pc 
base  proof  <CR> 
step  proof  []:  <CR> 

induction  —  .i  from  0  to  .y 

open  —  [sd  pre:  (true) 
comod:  (all) 
post:  (.s  =  .X  +  .i, 

[sd  pre:  ("(.i  It  .y)) 
comod:  (all) 
mod:  (add\pc) 

post:  (<adatr  while  i  <  y 
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i  :=  i  +  1 ; 
end  loop;  >)]  , 

[sd  pre:  ( . i  It  .y) 
comod:  (all) 
mod:  (add\pc) 

post:  (<adatr  while  i  <  y 

i  :=  i  +  1; 
end  loop;  >)]  , 

.i  =  0)] 

close  ““  0  steps/applications 

open  —  [sd  pre:  (.ige0,.ilt  .y,.s=  .x+  .i, 

[sd  pre:  ('( .i  It  .y)) 
comod:  (all) 
mod:  (add\pc) 

post:  (<adatr  while  i  <  y 

i  :=  i  +  1; 
end  loop;  >)]  , 

[sd  pre:  (,i  It  .y) 
comod:  (all) 
mod:  (add\pc) 

post:  (<adatr  while  i  <  y 

i  :=  i  +  1 ; 
end  loop;  >)] ) 

comod:  (x,y) 

mod:  (i,s,add\pc) 
post:  (#s  =  #x  +  #i, 

[sd  pre:  (^ ( . i  It  .y)) 
comod:  (all) 
mod:  (add\pc) 

post:  (<adatr  while  i  <  y 

i  :=  i  +  1; 
end  loop;  >)]  , 

[sd  pre :  ( ,  i  It  .y) 
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comod:  (all) 
mod:  (add\pc) 

post:  (<adatr  while  i  <  y 

i  :=  i  +  1 ; 
end  loop;  >)]  , 

#i  =  .i  +  1)] 


Complete  the  proof. 

The  base  case  of  the  induction  proof  has  closed  and  the  step  case  has  opened.  We  proceed 
with  apply  interspersed  with  queries. 


<sdvs.  1. 15.2.3.2. 1>  usable 

u(l)  [sd  pre:  ( . i  It  .y) 
comod:  (all) 
rood:  (add\pc) 

post:  (<adatr  while  i  <  y 


i  :  =  i  +  1 ; 


end  loop;>)] 


u(2)  [sd  pre:  (“(.i  It  .y)) 
comod:  (all) 
mod:  (add\pc) 

post:  (<adatr  while  i  <  y 


i  :=  i  +  1; 


end  loop;>)] 


No  usable  quantified  formulas. 

<sdvs  .1.15.2.3.2.1>  applicable 

u(l)  [sd  pre:  (.i  It  .y) 
comod:  (all) 
mod:  (add\pc) 

post:  (<adatr  while  i  <  y 

i  :=  i  +  1; 
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end  loop;  >)] 


<sdvs  .  1 . 15.2.3 .2. 1>  apply 

sd/number  [highest  applicable/once]  :  <CR> 


apply  [sd  pre: 

comod: 
mod: 
post : 


(.i  It  .y) 

(all) 

(add\pc) 

(<adatr  while  i  <  y 


i  :=  i  +  1; 
end  loop;>)] 


<sdvs  .1.15,2.3.2.2>  usable 


u(l)  [sd  pre: 

comod: 
mod: 
post : 


(true) 

(all) 

(add\pc,i) 

(#i  =  .i  +  1, 

<adatr  i  :=  i  +  !;>)] 


No  usable  qucintified  formulas. 

<sdvs  .  1 . 15.2.3.2.2>  apply 

sd/number  [highest  applicable/once]:  <CR> 


apply  ““  [sd  pre: 

comod : 
mod: 
post : 


(true) 

(all) 

(add\pc, i) 

(#i  =  .i  +  1, 

<adatr  i  :=  i  +  !;>)] 


<sdvs  .  1 . 15 . 2 . 3 . 2 . 3>  apply 

sd/number  [highest  applicable/once]:  <CR> 


apply  —  [sd  pre:  (true) 
comod:  (all) 

mod:  (add\pc,s) 
post:  (#s  =  .s  +  1, 

<adatr  s  :=  s  +  !;>)] 

close  —  3  steps/applications 
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join  induction  cases  --  [sd  pre:  (0  le  .y) 

comod:  (all,x,y) 
mod:  (i,s,add\pc) 
post:  (#i  =  .y,#s  =  #x  +  #y, 

[sd  pre:  ("(.i  It  .y)) 
comod:  (all) 
mod:  (add\pc) 

post:  (<adatr  while  i  <  y 

i  :=  .  .  .  ; 

end  loop;>)]  , 

[sd  pre:  ( .i  It  .y) 
comod:  (all) 
mod:  (add\pc) 

post:  (<adatr  while  i  <  y 

i  :=  . . . ; 

end  loop;  >)]  )] 

Complete  the  proof. 

<sdvs  .  1 . 15.2.4>  usable 

u(l)  [sd  pre :  ( . i  It  .y) 
comod:  (all) 
mod:  (add\pc) 

post:  (<adatr  while  i  <  y 

i  :=  i  +  1; 
end  loop;>)] 

u(2)  [sd  pre:  ("(.i  It  .y)) 
comod:  (all) 
mod:  (add\pc) 

post:  (<adatr  while  i  <  y 

i  :=  i  +  1; 
end  loop;>)] 
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No  usable  quantified  formulas. 


<sdvs  .1.15.2. 4>  applicable 

u(2)  [sd  pre:  (^(.i  It  .y)) 
comod:  (all) 
mod:  (add\pc) 

post:  (<adatr  while  i  <  y 

i  :=  i  +  1; 
end  loop;  >)] 


<sdvs  .  1 . 15 . 2 . 4>  simp 

expression:  .s=:.x-h.y  and  .x=.stdin[l]  and  .y=.stdin[2] 

true 

The  first  ^‘close”  was  the  end  of  the  step  case  of  the  induction  proof.  The  rest  of  the  proof 
is  now  routine.  We  execute  to  the  end  using  go. 


<sdvs  .  1 . 15 . 2 . 4>  (JO 

until  []  :  terminated  (add) 


apply 


[sd  pre: 
comod: 
mod : 
post : 


('(.i  It  .y)) 

(all) 

(add\pc) 

(<adatr  while  i  <  y 


i  :=  i  +  1; 


end  loop;  »] 


apply 


[sd  pre: 
comod: 
mod: 
post : 


(true) 

(all) 

(add\pc,add) 

(alldisjoint (add, . add,put\item) , 
covering (#add, . add, put \ item) , 
declare (put \ item, type (polymorphic) ) , 
<adatr  put  (s)>)] 


apply  --  [sd  pre: 

comod: 
mod: 
post : 


(true) 

(all) 

(add\pc,put\item) 
(#put\item  =  .s , 
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<adatr  put  (s)>)] 


apply  —  [sd  pre: 

comod: 
mod: 
post : 

apply  —  [sd  pre: 

comod : 
mod : 
post : 


apply  —  [sd  pre: 

comod : 
mod : 
post : 


apply  —  [sd  pre: 

comod : 
mod: 
post : 

apply  —  [sd  pre: 

comod : 
mod: 
post : 


(true) 

(all) 

(add\pc) 

(#add\pc  =  at (standard. text_io .put)  , 

<adatr  put  (s)>)] 

(.add\pc  =  at  (standard.  text_io.  put)) 

(all) 

(add\pc , stdout [ . stdout\ctr] , stdout\ctr) 

(#stdout [. stdout\ctr]  =  .put\item, 

#stdout\ctr  =  .stdout\ctr  +  1, 

#add\pc  =  exited(standard.text_io.put)  , 

<adatr  null;>)] 

(true) 

(all) 

( add\p  c , add , put \ it  em) 

(covering( . add, # add, put \ item) , 
undeclare (put \item) , 

<adatr  put  (s  )>)] 

(true) 

(all) 

( add\pc , add , i , s , x , y ) 

(covering(  .add,#add,i,s,x,y)  , undeclared, s,x,y)  , 
<adatr  i,  ...  :  integer>)] 

(true) 

(all) 

(add\pc) 

(terminated(add) )] 


close  --  11  steps/applications 


join  --  [sd  pre:  (true) 
comod:  (all) 
mod:  (all) 

post :  (terminated(add) , 

#stdout[l]  =  stdin\354  +  stdin\352)] 


close  —  15  steps/applications 
<sdvs.2>  quit 
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Q.E.D.  The  proof  for  this  session  is  in  ' sdvsproof ^ . 


State  Delta  Verification  System,  Version  13 

Restricted  to  authorized  users  only. 

<sdvs.l>  pp 
object:  proof 
proof  name :  sdvsproof 

proof  sdvsproof : 

prove  add.sd 
proof : 

(go, 

cases  "'(.i  It  .y) 

then  proof:  go  terminated (add) 
else  proof: 

(letsd  loopsdl  =  u(2), 
letsd  loopsd2  =  u(3) , 
induct  on:  .i 

from:  0 

to :  .y 

invariants:  (.s  =  .x  +  . i ,f ormula(loopsdl) , 

f ormula(loopsd2)) 
comodlist:  (x,y) 

modlist :  (i , s , add\pc) 

base  proof : 
step  proof : 

(apply  u(l) , 
apply  u(l), 
apply  u(l)) , 
go  terminated(add))) 
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7.2  VHDL 


The  following  Stage  4  VHDL  description,  contained  in  the  file  full_adder_dataf  low. vhdl, 
models  a  hardware  device  we  call  a  one-bit  full  udder.  It  accepts  three  input  bits,  x,  y, 
and  cin  (“carry-in”),  which  are  to  be  added  and  the  result  recorded  on  output  ports  sum 
and  cout  (“carry-out”),  also  of  type  BIT.  The  modeling  is  in  the  dataflow  style  of  register- 
transfer-like  concurrent  signal  assignment  statements. 

The  architecture  uses  an  auxiliary  signal  a,  which  stores  the  logical  exclusive  or,  XOR,  of  the 
X  and  y  input  ports;  a  is  subsequently  XOR-ed  with  input  port  cin  to  yield  the  value  of  the 
output  port  sum.  The  cout  output  port  is  set  to  bit  T’  if  any  two  of  the  three  input  ports 
are  T’. 

The  architecture  body  consists  of  three  concurrent  signal  assignment  statements,  in  which 
the  explicit  delays  are  arbitrarily  chosen  for  illustrative  purposes.  The  Stage  4  VHDL 
translator  will  regard  each  of  these  concurrent  signal  assignment  statements  as  an  equivalent 
PROCESS  statement. 


ENTITY  full. adder  IS 

PORT  (  X,  y,  cin  :  IN  BIT; 

sum,  cout  :  OUT  BIT  ); 

END  full.adder; 


ARCHITECTURE  dataflow  OF  full.adder  IS 
SIGNAL  a  :  BIT; 

BEGIN 

update.a  : 

a  <=  X  XOR  y  AFTER  3  NS; 
update.sum  : 

sum  <=  a  XOR  cin  AFTER  5  NS; 

update. cout  : 

cout  <=  (x  AND  y)  OR 

(x  AND  cin)  OR 

(y  AND  cin)  AFTER  7  NS; 

END  dataflow; 
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7.2.1  State  Delta  specification 


We  wish  to  formulate  and  prove  the  following  claim  about  the  VHDL  description  adder: 

At  any  point  at  which  the  translation  of  the  VHDL  design  entity  ADDER  holds,  there 
will  be  a  point  at  which  the  model  will  have  been  elalmrated  and  such  that  at  some 
later  point,  the  values  of  the  sum  and  cout  signals  will  reflect  the  sum  of  the  input 
ports  X,  y,  and  cin;  furthermore,  at  this  point  the  model  will  be  done  executing. 


This  English-language  specification  is  expressed  as  the  following  state  delta,  contained  in 
the  file  f ull«adder_dataf low .  spec: 


f ull. adder. dataf low . sd  = 

[sd  pre:  (vhdl (adder) ) 
comod : 

mod:  (all) 

post :  (vhdl.model.elaboration.complete (adder) , 

[sd  pre:  (true) 
comod:  (all) 
mod:  (all) 

post:  (|#cout  @  #sum|  =  1 .x  ++  .y  ++  .cin|, 

vhdl. model. execution.complete (adder))] )] 

A  bit  in  SDVS  is  rei)resented  as  a  bitstring  of  length  one.  The  theory  of  bitstrings  imple¬ 
mented  by  the  Simi)lifier  includes  the  operators  @  and  ++,  denoting  l)itstring  concatenation 
and  bitstring  addition,  respectively.  Furthermore,  the  operator  I  I  denotes  the  integer 
value  of  its  bitstring  argument  under  unsigned  radix-two  arithmetic.  Its  use  in  the  above 
specification  is  crucial:  whereas  the  concatenation  of  two  bitstrings  of  length  one  produces  a 
bitstring  of  length  two,  the  bitstring  sum  of  three  l)itstririgs  of  length  one  is  (by  definition)  a 
bitstring  of  length  three;  however,  in  our  case  the  integer  value  of  both  sides  of  the  equation 
should  be  the  same. 

The  most  important  general  ol>servatioii  to  make  about  the  above  specification  is  the  appear¬ 
ance  of  a  nested  state  delta  in  the  postcondition  of  the  top-level  SD^^  full.adder  ..dataflow .  sd, 
with  the  intuitively  desired  final  state  as  the  postcondition  of  the  nested  SD.  This  device 
is  common  to  most  SDVS  VHDL  specifications,  reflecting  the  fact  that  it  is  the  passage 
from  the  precondition  time  to  the  postcondition  time  of  the  top-level  SD  that  allows  the 
places  mentioned  in  the  final  (nested)  postcondition  to  be  created^  by  elaboration  of  the  cor¬ 
responding  declarations  in  the  VHDL  description.  Referring  to  these  places  in  advance  of 
their  creation,  e.g.  in  the  postcondition  of  the  top-level  SD,  can  result  in  false  specifications 
in  cases  where  the  corresponding  declarations  contain  initialization  expressions. 

Henceforth,  “SD”  is  an  abbreviation  for  “state  delta.” 
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The  practical  consequence  of  this  structure  for  the  specification  is  that  during  the  proof, 
once  symbolic  execution  has  reached  a  point  where  all  the  declarations  have  been  elaborated, 
it  is  necessary  to  open  a  proof  of  the  nested  SD,  and  this  is  the  only  point  at  which  it  is 
appropriate  to  do  so. 

7,2,2  Interactive  proof  development 

We  present  the  trace  of  an  interactive  SDVS  proof  session  showing  the  construction  of  a  proof 
that  the  VHDL  description  satisfies  its  specification.  This  trace  is  punctuated  with  various 
remarks  elucidating  typical  aspects  of  VHDL  correctness  proofs.  The  reader  is  referred  to 
[18]  for  a  formal  semantic  specification  of  the  Stage  4  VHDL  language  translator. 

Our  general  proof  strategy  is  to  simulate  the  VHDL  description  with  symbolic  values, 
aiming  to  reach  a  state  in  which  the  final  postcondition  of  the  state  delta  specification 
full_adder«dataf low. sd  is  true.  At  points  in  the  proof  where  no  usable  state  deltas  are 
known  to  l>e  applicable,  static  reasoning  (l>y  invocation  of  suitable  lemmas)  will  establish 
that  certain  preconditions  do  indeed  hold,  so  that  symbolic  execution  can  proceed. 

The  salient  aspects  of  the  general  correctness  proof  of  the  one-bit  full  adder,  distinguishing 
it  from  mere  simulation  of  the  description  with  concrete  values,  are  as  follows: 


•  The  initial  values  of  the  input  ports  x,  y,  and  cin  aie  symbolic^  rather  than  concrete 
bit  values. 

The  VHDL  Lanyxiaye  Reference  Manual  (LRM)  [5]  specifies  implicit  default  values  for 
ol)jects  that  lack  an  explicit  default  expression  in  their  declarations  (see,  e.g.,  Section 
4.3. 1.2  of  [5]).  We  conjecture  that  the  rationale  for  this  (rather  odd)  convention  stems 
from  the  siimdation  semantics  for  VHDL  as  defined  l)y  the  LRM:  without  concrete 
values  for  objects,  a  description  cannot  l)e  simulated  (in  the  usiial  sense  of  the  word). 
On  the  other  hand,  for  the  purposes  of  verification,  it  is  not  at  all  suitable  to  assume 
implicit  default  values  for  uninitialized  objects:  by  definition,  a  correctness  proof  must 
be  valid  for  arbitrary  values  of  (nonconstant)  objects.  Therefore,  the  VHDL  translator 
assigns  symbolic  xmlucs  to  uninitialized  objects. 

•  Syml)olic  values  for  the  input  ports  imply  two  important  consequences  for  the  cor¬ 
rectness  proof: 

“  During  each  execution  cycle,  when  the  VHDL  translator  updates  signals  and 
then  determines  which  processes  should  resume,  a  case  analysis  must  be  made  on 
whether  actual  eucnts  occurred  on  signals  to  which  processes  are  sensitive,  that 
is,  whether  the  updates  actually  chanyed  those  signals’  values.  Indeed,  according 
to  the  LRM  [5],  a  process  that  resumes  execution  by  virtue  of  its  sensitivity  to 
a  signal  does  so  only  as  a  result  of  such  an  event;  “stuttering”  on  the  old  signal 
value  is  not  enough. 

—  When,  as  the  result  of  an  inertial  signal  assignment  statement,  the  projected 
output  waveform  on  a  signal’s  driver  is  updated  with  new  transactions,  a  case 
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analysis  must  be  made  on  whether  the  signal  value  currently  scheduled  for  the 
greatest  time  strictly  less  than  the  time  of  the  earliest  new  transaction  is,  or  is 
not,  equal  to  the  value  of  that  new  transaction.  The  VHDL  LRM  preemption 
rules  for  updating  the  projected  output  waveform  distinguish  between  these  cases 
(see  [5],  Section  8.3.1). 

We  begin  by  initializing  the  system  and  turning  the  autoclose  flag  to  off,  in  order  to 
develop  the  proof  without  SDVS  closing  it  automatically. 


<sdvs.l>  init 

proof  name  □  :  <  CR> 

State  Delta  Verification  System,  Version  11 

Restricted  to  authorized  users  only. 

<sdvs  .  1  >  sctflag 

flag  variable:  autoclose 
on  or  off [on] :  off 

setflag  autoclose  —  off 

Our  first  essential  order  of  business  is  to  translate  the  VHDL  design  entity  residing  in  file 
full_adder-.dataflow. vhdl  into  its  state  delta  representation,  vhdl (adder),  so  that  we 
may  prove  our  claim  al)Out  it.  This  is  done  by  invoking  the  VHDL  translator  with  the 
command  vhdltr,  given  the  following  arguments:  design  name,  directory  name,  source  files, 
and  name  of  the  configuration  declaration  to  l^e  used.  Care  should  be  taken  to  terminate 
the  directory  name  with  a  If  a  VHDL  design  entity  is  purely  behavioral,  requiring  no 
configuration  declaration  for  the  binding  of  component  instances,  then  ‘‘none”  should  be 
specified  in  response  to  the  prompt  “using  configuration”;  otherwise,  the  name  of  the 
configuration  declaration  should  be  given,  and  this  configuration  declaration  should  occur 
in  the  last  file  to  be  translated. 

<sdvs  .2>  vhdltr 

design  name[foo]:  adder 
directory  name [testproof s/vhdl/] : 

file  names  [foo .  vhdl]  :  full' adder' datafloxu. vhdl 
using  configuration [none] : 

Parsing  Stage  4  VHDL  file  —  “testproof s/vhdl/full. adder. dataflow. vhdl" 
Translating  Stage  4  VHDL  design  —  "ADDER" 

<sdvs.3>  jyp 
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object:  vhdl 

design  name[foo] :  adder 

alldisjoint (adder , .adder) 

coveringC . adder ,adder\pc,vhdlt ime ,vhdltime_previous) 

declare  (vhdltime  ,type(vhdltiine) ) 

declare (vhdltime_previous , type (vhdltime) ) 

.vhdltime  =  vhdltime (0 ,0) 

. vhdltime.previous  =  vhdltime(0 ,0) 

[sd  pre:  (true) 
comod:  (all) 

mod:  (adder\pc) 
post:  (<VHDLTR>)] 

We  have  just  exhil)ite(l  the  “initial  segment”  of  the  translation  of  the  full  adder  description, 
consisting  of  the  declaration  and  initialization  of  the  places  vhdltime  and  vhdltime4)revious, 
as  well  as  a  state  delta  whose  postcondition  contains  a  representation  of  (a  state  delta  for) 
the  incremental  continuation  of  the  translation. 

In  general,  each  state  delta  generated  by  the  VHDL  translator  will  contain,  as  part  of 
its  postcondition,  a  continuation  label  enclosed  in  angle  brackets;  this  continuation  label 
simply  stands  for  the  next  state  delta  to  be  incrementally  generated  by  the  translator  —  the 
continuation.  The  generic  label  <VHDLTR>  appears  most  frequently,  but  occasional  labels 
attempt  to  be  more  descriptive  of  the  next  increment  of  translation. 

Sometimes,  as  in  the  initial  segment  of  translation,  the  translator  generates  a  state  delta 
with  precondition  (true),  comodlist  (all),  a  (\pc)  modlist,  and  only  a  continuation  in 
the  postcondition.  Such  a  state  delta  corresponds  to  an  action^  to  be  unconditionally 
performed  by  the  translator,  resulting  in  no  change  in  the  state  (contents  of  places)  except 
for  the  program  counter.  When  such  a  state  delta  is  applied,  it  is  not  printed  out  in  its 
entirety  in  the  proof  trace;  rather,  the  tag  action  is  printed,  followed  by  the  continuation 
label. 

<sdvs.3>  read 

path  name  [testproofs/foo  .proof  s]  :  testproofs/vhdl/fulVadder'dataflow.spec 

Definitions  read  from  file  “testproofs/vhdl/full.adder^dataf low , spec" 

—  (full^adder.dataf low. sd,full^adder.dataf low^original. sd) 

<sdvs.4>  ppsd 

state  delta:  full' adder' data floxn.sd 

[sd  pre:  (vhdl (adder) ) 
mod:  (all) 

post :  (vhdl.model.elaboration.complete (adder) , 

[sd  pre:  (true) 


comod:  (all) 
mod:  (all) 

post:  (|#cout  @  #suin|  =  |(.x  ++  .y)  ++  .cin|, 

vhdljnodel-execution-complete (adder))] )] 

This  is  the  specification  to  be  proved. 

The  proof  will  require  two  leinma.s  concerning  l)itstrings,  which  we  read  from  a  file  and 
display. 

<sdvs.4>  read 

path  name [testproofs/vhdl/full. adder. dataflow. spec]  : 
testp7Vofs/vl  1(11/ full  ‘adder  ‘dataflow,  lemmas 

Definitions  read  from  file  “testproof s/vhdl/f ull_adder.dat af low. lemmas" 

—  ( app  end. cout . sum . 1 emma) 

<sdvs.5>  pp 

ob  j  ect :  appeii(Lcout^sum.  lemma 

lemma  app end_c outturn. lemma  (x,y  ,cin, sum, cout)  : 

(((((lh(x)  =  1  & 

lh(y)  =  1)  & 

Ih(cin)  =  1)  & 

Ih(sum)  =  1)  & 

Ih(cout)  =  1)  & 

sum  =  (x  usxor  y)  usxor  cin)  & 

cout  =  (x  &&  y  usor  x  &&  cin)  usor  y  &&  cin 
— >  |cout  @  sum|  =  [(x  ++  y)  ++  cin| 

Lemma  append.cout^sxim. lemma  asserts  that  if  bits  sum  and  cout  are  related  to  bits  x, 
y,  and  cin  as  indicated,  then  the  Ifitstring  concatenation  of  cout  with  sura  has  the  same 
integer  value  as  the  bitstring  sum  of  x,  y  and  cin.  Again,  this  lemma  has  an  easy  proof  by 
exhaustive  case  analysis  of  the  possilfilities  for  x,  y,  and  cin. 

Note  that  this  lemiiia  essentially  mimics  the  way  in  which  the  VHDL  description  computes 
sum  and  cout;  not  surprisingly,  it  will  be  used  to  establish  the  required  static  fact  upon 
completion  of  the  dynamic  syial)olic  execution  of  the  description. 

We  now  open  the  proof  of  full..adder_dataf  low .  sd: 

<sdvs  .5>  prove 

state  delta  []  :  full' adder' data  flow,  sd 
proof  []  :  <  CR> 


open  [sd  pre:  (vhdl (adder) ) 
mod:  (all) 

post :  (vhdl.model. elaboration. complete (adder) , 

[sd  pre:  (true) 
comod:  (all) 
mod:  (all) 

post:  (|#cout  Q  #sum|  =  |(.x  ++  .y)  ++  .cin], 

vhdl.model.execution_complete(adder) )] )] 

Complete  the  proof. 

<sdvs.5.1>  nsd 

[sd  pre:  (true) 
comod:  (all) 

mod:  (adder\pc) 
post:  (<VHDLTR>)] 

The  applicable  state  delta  just  shown  is  the  “l;ootstrap”  state  delta  for  the  incremental 
translation  of  the  Stage  4  VHDL  description.  Issuing  the  command  go  with  the  until 
argument  of  vhdljmodel.elaboration.complete  (adder)  will  apply  this  state  delta  as  the 
first  in  a  sequence  of  continuations  that  accomplish  automatic  elaboration  of  the  entity 
port  declarations  for  x,  y,  cin,  sum,  and  cout,  as  well  a.s  of  the  internal  signal  a  in  the 
architecture  body  and  the  processes  represented  by  the  three  concurrent  signal  assignment 
statements. 

<sdvs  .5 . 1>  go 

until  [] :  vhdl.model. elaboration. complete (adder) 

action  —  <VHDLTR> 

apply  —  [sd  pre:  (true) 
comod:  (all) 

mod:  (adder ^ adder) 

post :  ( alldis j oint (adder , . adder , x , y , cin , driver\x , dr iver\y , 

driver\cin) , 

cover ing (tadder , . adder , x , y , cin , driver\x , dr iver\y , 
driver\cin) , 
declare (x, type (bit)) , 

declare (driver\x , type (waveform , type (bit) ) ) , 
declare (x , type (f n , val ( . dr iver\x , . vhdlt ime) ) ) , 
declare (y, type (bit) ) , 

declare (dr iver\y , type (waveform , type (bit ) ) ) , 
declare (y , type (f n , val ( . driver\y , . vhdlt ime) ) ) , 
declare (cin, type (bit)) , 


apply  [sd  pre: 

comod: 

mod: 
post : 


apply  --  [sd  pre: 

comod : 
mod : 
post : 


apply  [sd  pre: 

comod: 
mod: 
post : 


apply  —  [sd  pre: 

comod: 

mod: 


declare(driver\cin, type(waveform,type(bit) )) , 
declare(cin,type(fn,val( .driver\cin, .vhdltime))) , 
<VHDLTR>)] 

(true) 

(all) 

(adder 4X,y,cin,driver\x,driver\y,driver\cin) 
(#driver\x 

=  waveform(x, transact ion (vhdltime (0,0) ,x\l3)) , 
#driver\y 

=  waveform(y, transact ion (vhdltime (0,0) ,y\l5)) , 
#driver\cin 

=  waveform(cin, 

transaction(vhdltime(0,0) ,cin\17)) , 

<VHDLTR>)] 

(true) 

(all) 

(adder ^adder) 

(alldis j  oint (adder , . adder , sum , cout , driver\sum, 
driver\cout) , 

cover ing (#adder , . adder , sum , cout , dr iver\sum , 
driver\cout) , 
declare (sum, type (bit))  , 

declare (driver \sum, type (waveform, type (bit)) ) , 
declare(sum,type(fn, val( .driver\sum, .vhdltime))) , 
declare (cout , type (bit))  , 

declare (driver\cout , type (waveform, type (bit ) ) ) , 
declare (cout , type (f n , val ( . dr iver\cout , . vhdltime) ) ) , 
<VHDLTR>)] 

(true) 

(all) 

( adder  jSum ,  cout ,  dr iver\sum , driver \cout ) 

(#driver\sum 

=  waveform (sum, 

transaction(vhdltime(0,0) ,sum\22)) , 

#driver\cout 

=  wavef orm(cout , 

transaction(vhdltime(0,0) ,cout\24) ) , 

<VHDLTR>)] 

(true) 

(all) 

(adder ^adder) 
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post :  (alldisjoint (adder , . adder , a, driver \ a) , 
covering(#adder , . adder , a,driver\a) , 
declare(a, type(bit) ) , 

declare(driver\a, type(wavef orm,type(bit) ) ) , 
declare(a, type(fn, val ( . driver\a, . vhdltime) ) ) , 
<VHDLTR>)] 


apply  --  [sd  pre: 

coiriod : 

mod : 
post : 


(true) 

(all) 

(adder^a,driver\a) 

(#driver\a 

=  wavef orm(a,transaction(vhdltime(0,0) ,a\29)) , 
<VHDLTR>)] 


action  --  <ELABORATE  PROCESS:  UPDATE_A> 
action  —  <ELABORATE  PROCESS:  UPDATE.SUM> 
action  --  <ELABORATE  PROCESS:  UPDATE.COUT> 
go  breakpoint  reached 
<sdvs .5 . 11> 


The  evaluation  of  the  three  SDVS  commands  vhdltime,  vhdl-signals,  and  vhdl-processes 
is  a  convenient  means  of  querying  SDVS  about  aspects  of  the  state  of  the  Stage  4  VHDL 
proof.  Particularly  in  the  case  of  signals,  this  query  provides  information  in  a  much  more 
intelhgible  form  than  that  returned  by,  say,  the  query  command  ppl  .  Note  that  0(1)  is 
the  Simplifier  representation  of  the  bitstring  with  integer  value  0  and  length  1  —  that  is, 
the  bit 


< sdvs  .  5 . 1 1  >  vlidltirne 


global  time  =  0 

delta  time  =  0 


<sdvs  .  5 . 1 1  >  'vhdUsignals 

signal-names  [all]  :  <  CR> 

simplify?  [no]  :  <  CR> 


signal  X  : 


current  value 


previous  value 
projected  output 
driver  history 

signal  Y  : 

current  value 
previous  value 
projected  output 
driver  history 

signal  CIN  : 
current  value 
previous  value 
projected  output 
driver  history 

signal  SUM  : 
current  value 
previous  value 
projected  output 
driver  history 


=  x\l3 
=  x\l3 

waveform  =  () 

=  (transaction(vhdltime(0,0) ,x\l3)) 


=  y\i5 

=  y\l5 

waveform  =  () 

=  (transaction(vhdltime(0 ,0) ,y\l5) ) 


=  cin\l7 
=  cin\l7 
waveform  =  () 

=  (transaction(vhdltime(0,0) ,cin\l7)) 


=  sum\22 
=  sum\22 
waveform  =  () 

=  (transaction(vhdltime(0,0) ,sum\22)) 


signal  GOUT  : 


current  value 


cout\24 


previous  value  =  cout\24 

projected  output  waveform  =  () 

driver  history  =  (transaction(vhdltime(0,0) ,cout\24) ) 

signal  A  : 

current  value  =  a\29 

previous  value  =  a\29 

projected  output  waveform  =  () 

driver  history  =  (transact ion(vhdlt ime (0, 0) ,a\29)) 


The  declarations  have  l)een  elaborated  syiiil^olically.  For  example,  places  x  and  driver\x 
have  been  created  to  represent  a  signal  and  its  driver,  respectively,  and  the  contents  of 
driver\x  have  been  initialized  with  waveform(x,transaction(vhdltime(0,0)  ,x\l3)), 
a  waveform  (indexed  l)y  x)  consisting  of  a  single  transaction.  This  transaction  stipulates 
that  at  vhdltime(0,0),  x  acquires  the  symbolic  bit  value  x\l3. 

In  the  display  generated  l)y  the  command  vhdl-signals,  the  driver  is  split  conceptually 
into  two  disjoint  parts,  each  represented  as  a  list: 


•  A  projected  output  umveforra^  consisting  of  future  transactions  scheduled  to  occur 
on  the  signal  (some  of  which  might  be  preempted^  or  deleted  from  the  waveform, 
during  subsequent  execution  of  the  description).  The  time  components  of  projected 
transactions  are  all  greater  than  the  vhdltime.  For  ease  of  reference,  the  projected 
transactions  are  displayed  in  chronological  order  according  to  their  time  components, 
so  that  the  next  scheduled  transaction  occurs  first  in  the  list. 

•  A  driver  history,  consisting  of  those  transactions  that  have  already  been  ‘"actualized,” 
i.e.,  whose  time  component  is  at  most  the  value  .vhdltime.  For  ease  of  reference  once 
again,  but  in  contradistinction  to  the  projected  output  waveform,  these  transactions 
are  displayed  in  reverse  chronological  order:  the  most  recent  actualized  transaction 
for  the  signal  appears  at  the  head  of  the  driver  history,  and  its  value  component  is 
always  the  current  value  of  the  signal  driver. 


Thus,  the  entire  signal  driver  itself  is  the  concatenation  of  the  reverse  of  the  driver  history 
with  the  projected  oiitput  waveform. 


SUSPENDED 


<  sdvs  .  5 . 1 1  >  dJkH- processes 
process-names  [all]  :  <CR,> 

process  UPDATE^A  : 
current  state 
scheduled  time  =  VHDLTIME(0 ,0) 

scheduled  reason  =  INITIALIZATION 


process  UPDATE.SUM  : 

current  state  =  SUSPENDED 

scheduled  time  =  VHDLTIME(0,0) 

scheduled  reason  =  INITIALIZATION 


process  UPDATE^COUT  : 

current  state  =  SUSPENDED 

scheduled  time  =  VHDLTIME(0,0) 

scheduled  reason  =  INITIALIZATION 

Note  that  the  Stage  4  VHDL  translator  represents  the  three  concurrent  signal  assignment 
statements  as  processes. 

AU  processes  are  shown  as  currently  suspended,  l)ecause  we  have  not  yet  begun  executing 
the  model,  but  they  are  scheduled  to  ‘‘resume”  execution  at  vhdltime(0,0),  by  reason  of 
the  initialization  phase  of  the  simulation  semantics  informally  defined  in  the  VHDL  LRM 
[5].  In  the  initialization  phase,  each  process  is  executed  until  it  suspends.  As  the  next 
applicable  state  delta  indicates,  the  translation  is  ready  to  commence  model  execution. 

<sdvs.5.11>  7is(l 

[sd  pre:  (true) 
comod:  (all) 

mod:  (adder \pc) 

post:  (<BEGIN  VHDL  MODEL  EXECUTION>)] 
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<sdvs  .  5 . 11>  xvliynoUjoal 
simplify?  [no]  :  <  CR> 


g(2)  [sd  pre:  (true) 
comod:  (all) 
mod:  (all) 

post:  (|#cout  @  #sum|  =  |(.x  ++  .y)  ++  .cinj, 

vhdl^model.execution^complete (adder) )] 

This  is  an  appropriate  point  at  which  to  open  a  proof  of  the  goal  g(2). 

<sdvs  ,5 . 11>  pro'oc: 
state  delta []  :  (j 
number:  2 
proof  []  :  <  CR> 

open  --  [sd  pre:  (true) 
comod:  (all) 
mod:  (all) 

post:  (|#cout  @  #sum|  =  |(.x  ++  .y)  ++  .cin|, 

vhdl.model^execut ion. complete (adder))] 

Complete  the  proof. 

Applying  the  next  and  subsequent  applicable  state  deltas  causes  each  process  to  execute, 
in  order,  and  then  suspend. 

<sdvs  .5 . 11 . 1>  apply 

sd/number [highest  applicable/once] :  4 

action  —  <BEGIM  VHDL  MODEL  EXECUTION> 

action  --  <BEGIN  INITIALIZATION  PHASE> 

action  --  INITIALIZATION  PHASE:  EACH  PROCESS  EXECUTES  UNTIL  SUSPENSION> 

action  —  <EXECUTE  PROCESS:  UPDATE_A> 

<sdvs  .  5 . 1 1 . 5>  usable 

u(l)  [sd  pre:  (" (preempt ion (. driver\a, 

transact ion(timeplus( .vhdltime, 

vhdltime (3000000,0) ) , 
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.X  usxor  .y)))) 


comod : 
mod : 
post : 


(all) 

(adder \pc , driver\a) 

(#driver\a 

=  inertial. updatG( . driver\a, 

transact ion(timeplus ( . vhdlt ime , 

vhdltime (3000000 , 0) ) , 
.X  usxor  .y) ) , 

<VHDLTR>)] 


u(2)  [sd  pre: 


comod : 
mod : 
post : 


(preemption( .driver\a, 

transact ion ( t imeplus ( . vhdltime , 

vhdltime(3000000,0)) , 
.X  usxor  .y))) 


(all) 

(adder\pc , driver\a) 

(#driver\a 

=  inertial. update( . driver\a, 

transaction(timeplus( .vhdltime , 

vhdltime (3000000 , 0) ) , 
.X  usxor  .y) ) , 

<VHDLTR>)] 


No  usable  quantified  formulas. 


The  above  pair  of  ;isal)le  SDs  constitute  the  state  delta  semantics  of  the  signal  assignment 
a  <=  X  XOR  y  AFTER  3  NS  in  the  body  of  process  update_a;  it  is  important  to  understand 
the  rationale  for  this.  The  VHDL  semantics  of  inertial  driver  update  (the  default  being 
used  here,  as  opposed  to  transport  update,  which  must  be  exphcitly  specified  in  the  signal 
assignment  statement)  requires  that  the  inertial  update  take  into  account  whether  or  not 
currently  scheduled  transactions  on  the  projected  output  waveform  are  to  be  preempted  (re¬ 
placed)  by  the  new  transaction(s)  to  be  scheduled  ([5],  Section  8.3.1).  Thus,  the  translation 
of  the  signal  assignment  statement  generates  a  conjunction  of  two  SDs,  each  predicated 
in  its  precondition  on  the  occurrence  of  preemption  or  not.  Note  tha.t  the  conjunction  of 
the  preconditions  is  simply  true,  mecaning  that  the  update  will  occur  in  any  case;  the  only 
difference  will  l)e  in  the  transactions  of  the  projected  output  waveform  following  the  update. 

In  the  present  situation,  the  projected  output  waveform  of  signal  a  is  empty,  so  only  state 
delta  u(l)  is  applical)le.  However,  we  will  have  occasion  to  revisit  this  issue  later  on  in  a 
less  obvious  situation. 

Observe  also  how  the  Stage  4  VHDL  translator  converts  all  VHDL  TIME  units  to  femtosec- 
onds,  so  that  3  nanoseconds  (3  NS)  is  represented  as  3000000  femtoseconds. 

Invoking  the  SDVS  go  command  causes  successive  next-applicable  state  deltas  to  be  apphed 


until  the  current  goal  is  reached  or  the  top  usal>le  state  delta  is  not  applicable  (or  until  an 
explicitly  stated  condition  is  reached). 


<sdvs ,5.11. 
until  []  : 

apply 


action 
action 
action 
apply  ‘ 


action 

action 


5>  (JO 

<  CR> 


-  [sd  pre: 


coraod : 
rood: 
post : 


(" (preemption ( .driver\a, 

transaction(tiroeplus( . vhdltiroe, 

vhdltime (3000000 , 0) ) , 
.X  usxor  .y)))) 


(all) 

( adder\pc , dr iver\a) 

(#driver\a 

=  inertial. update( .driver\a, 

transact ion (tiroeplus ( . vhdltime , 

vhdltime (3000000 ,0)  ) 
.X  usxor  .y)) , 

<VHDLTR>)] 


--  <SUSPEND  PROCESS:  UPDATE.A> 

—  <,..  INITIALIZATION  PHASE:  EACH  PROCESS  EXECUTES  UNTIL  SUSPENSION> 


--  <EXECUTE  PROCESS:  UPDATE.SUM> 


-  [sd  pre:  (" (preempt ion (. dr iver\suin, 

transaction(timeplus( .vhdltime, 

vhdltime (5000000,0)) , 
.a  usxor  .cin)))) 


comod : 
mod: 
post : 


(all) 

(adder \pc , driver\sum) 

(#driver\sum 

=  inertial_update(  ,driver\sum, 

transact ion(timeplus ( . vhdltime , 

vhdlt ime (5000000 , 0) ) 
.a  usxor  .cin)) , 

<VHDLTR>)] 


--  <SUSPEND  PROCESS:  UPDATE.SUM> 

—  <...  INITIALIZATION  PHASE:  EACH  PROCESS  EXECUTES  UNTIL  SUSPENSION> 


action  --  <EXECUTE  PROCESS:  UPDATE_COUT> 
apply  [sd  pre:  (' (preemption( .driver\cout , 


comod: 
mod: 
post : 


transaction (t imeplus ( . vhdltime , 

vhdltime (7000000,0)), 


( .X  &&  .y  usor 

.X  &&  .cin)  usor 
.y  &&  .cin)))) 

(all) 

(adder\pc,driver\cout) 

(#driver\cout 

=  inertial.update( ,driver\cout , 

transact ion(timeplus ( . vhdltime , 

vhdltime (7000000,0)) , 
(.X  &&  .y  usor 

.X  &&  .cin)  usor 
.y  &&  . cin) ) , 

<VHDLTR>)] 


action  —  <SUSPEND  PROCESS:  UPDATE.COUT> 


action  —  <END  INITIALIZATION  PHASE> 


Having  completed  the  initialization  i)lia,se  of  execution,  the  VHDL  translator  determines 
the  earliest  future  time  at  which  a  signal  driver  becomes  active  (i.e.,  has  a  transaction  on 
its  projected  output  waveform)  or  a  process  is  scheduled  to  resume  (by  reason  of  timeout 
or  sensitivity  to  a  signal).  This  earliest  time,  if  it  exists,  is  the  one  to  which  vhdltime  is 
advanced,  initiating  a  new  execution  cycle:  signals  are  updated  and  processes  (possibly) 
resumed  [5]. 


action  —  <BEGIN  EXECUTION  CYCLE: 

1.  ADVANCE  EXECUTION  TIME, 

2.  UPDATE  SIGNALS, 

3.  RESUME  PROCESSES > 


apply  — 


[sd  pre: 
comod : 
mod: 
post : 


(true) 

(all) 

(adder \pc , vhdlt ime , vhdlt ime.previous , a) 
(#vhdltime  =  vhdltime (3000000 ,0) , 
#vhdltime_previous  =  .vhdltime, 
<UPDATE  SIGNALS>)] 


action  —  <RESUME  (?)  NEXT  SCHEDULED  PROCESS:  UPDATE.SUM> 


go  —  no  more  declarations  or  statements 


<sdvs  .  5 . 11 . 19>  vhdltime 


global  time 


3000000 


delta  time  =  0 

<sdvs.5.11.19>  vlidl-signals 

signal -names  [all]  :  a,  sum,  coat 
simplify? [no] :  yes 

signal  A  : 

current  value  =  x\l3  usxor  y\l5 

previous  value  =  a\29 

projected  output  waveform  =  () 

driver  history  =  (transaction(vhdltime(3000000 ,0) , 

x\13  usxor  y\15) , 
transaction(vhdltime(0,0) ,a\29)) 

signal  SUM  : 

current  value  =  sum\22 

previous  value  =  sum\22 

projected  output  waveform  =  (transactionCvhdltimeCSOOOOOOjO) , 

a\29  usxor  cin\l7)) 

driver  history  =  (transaction(vhdltime(0,0)  ,s\im\22)) 

signal  GOUT  : 

current  value  =  cout\24 

previous  value  =  cout\24 

projected  output  waveform  =  (transaction(vhdltime(7000000,0) , 

(x\l3  tk  y\l5  usor 
x\l3  kk  cin\l7)  usor 
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y\l5  &&  cin\l7)) 


driver  history  =  (transaction(vhdltiine(0,0)  ,cout\24)) 

<sdvs.5.11.19>  vJidUprocesses 
process-names  [all]  :  <CR> 

process  UPDATE. A  ; 

current  state  =  SUSPENDED 

process  UPDATE. SUM  : 

current  state  =  SUSPENDED 

scheduled  time  =  VHDLTIME(3000000 ,0) 

scheduled  reason  =  SENSITIVITY 

process  UPDATE.COUT  : 

current  state  =  SUSPENDED 

Note  that  the  query  vhdl-processes  reveals  that  of  the  three  processes,  only  update_suin 
might  resume  execution  at  any  later  time.  This  is  as  it  should  be,  in  light  of  the  following 
facts: 

•  the  other  two  processes  are  sensitive  only  to  the  input  signals;  and 

•  we  are  operating  under  the  implicit  stability  assumption  that  the  input  signals  do  not 
change  for  the  settle  time  of  the  description  [21], 

<sdvs  ,  5 . 11 . 19>  usable 

u(l)  [sd  pre:  (,a  =  val( ,driver\a, . vhdltime.previous) , 

.cin  =  val( .driver\cin, .vhdltime.previous)) 
comod:  (all) 

mod:  (adder\pc) 

post:  (<END  EXECUTION  CYCLE>)] 
u(2)  [sd  pre:  (.cin  val( .driver\cin, .vhdltime.previous)) 
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comod : 
mod : 
post : 


(all) 

(adder\pc) 

([sd  pre:  (true) 
comod:  (all) 

mod:  (adder\pc) 

post:  (<EXECUTE  PROCESS:  UPDATE.SUM>)] )] 


u(3)  [sd  pre: 

comod: 
mod: 
post : 


(.a  val(  .driver\a,  .  vhdltime_previous)) 
(all) 

(adder\pc) 

([sd  pre:  (true) 
comod:  (all) 

mod:  (adder\pc) 

post:  (<EXECUTE  PROCESS:  UPDATE.SUM>)] )] 


No  usable  quantified  formulas. 

<sdvs .5.11. 19>  usd 

No  applicable  state  deltas. 

<sdvs.5.11.19>  tally  notupply 

state  delta [  highest  usable] :  u 

number :  1 

Because  the  following  is  not  known  to  be  true 
.a  =  val( .driver\a, . vhdltime^previous) 


This  is  the  first  crucial  point  to  uiulerstand  in  the  syml^olic  execution,  as  it  relies  on  an 
important  aspect  of  VHDL  semantics.  The  essential  point  to  realize  is  that  the  resumption 
of  the  process  update_sum  is  contingent  upon  whether  or  not  the  signal  a,  to  which  the 
process  is  sensitive,  has  actually  received  a  neta  and  different  value  at  the  current  time, 
vhdltime (3000000,0)  (the  value  of  signal  cin  will  necessarily  remain  unchanged,  as  this 
signal  is  a  port  of  mode  IN).  The  VHDL  semantics  of  process  resumption  requires  that  such 
an  event  on  a  must  ha,ve  occurred  in  order  for  update^sum  to  resume  execution. 

Thus,  in  order  to  render  one  of  the  two  usable  state  deltas  applicable,  we  must  open  up  an 
argument  by  cases  at  this  point. 

<sdvs.5.11.19>  ca^cs 

case  predicate:  .a  =  val(Alrivei\(i,A)hddiv}nc/previous) 


cases 


.a  =  val( .driver\a, . vhdltime^previous) 


open 


[sd  pre:  (.a  =  val( .driver\a, .vhdltime. previous)) 
comod:  (all) 
mod:  (all) 

post:  (|#cout  @  #suin| 

=  |(x\36  ++  y\37)  ++  cin\38|, 
vhdl.model.execut ion. complete (adder) )] 


<sdvs  .5 . 11 . 19 . 1 . 1>  apply 

sd/number [highest  applicable/once] :  3 

apply  —  [sd  pre:  (.a  =  val( .driver\a, . vhdltime.previous) , 

.cin  =  val( .driver\cin, .vhdltime. previous)) 
comod:  (all) 
mod:  (adder \pc) 

post:  (<END  EXECUTION  CYCLE>)] 


action  --  <BEGIN  EXECUTION  CYCLE: 

1.  ADVANCE  EXECUTION  TIME. 

2.  UPDATE  SIGNALS, 

3.  RESUME  PROCESSES > 


apply  ““ 


[sd  pre: 
comod : 
mod : 
post : 


(true) 

(all) 

(adder\pc , vhdlt ime , vhdltime. previous , sum) 
(#vhdltime  =  vhdlt ime (5000000, 0) , 
#vhdltime.previous  =  .vhdlt ime, 

<UPDATE  SIGNALS>)] 


Note  that,  in  this  case,  process  update^sum  did  not  resume;  instead,  a  new  execution  cycle 
commenced  and  vhdlt  ime  advanced  to  the  next  time  at  which  a  signal  had  a  transaction  on 
its  projected  output  waveform  —  this  signal  is  sum,  and  the  time  is  vhdlt  ime  (5000000,0). 

<sdvs  .5.11.19.1 .4>  vhdltime 


global  time  =  5000000 

delta  time  =  0 


<sdvs  .5.11.19.1.4>  vlidUsiyuals 
signal-names  [all]  :  a,  sum,  cant 
simplify? [no]  :  yes 
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signal  A  : 


current  value 
previous  value 
projected  output 
driver  history 

signal  SUM  : 
current  value 
previous  value 
projected  output 
driver  history 

signal  GOUT  : 
current  value 
previous  value 
projected  output 

driver  history 


=  a\29 

=  a\29 

waveform  =  () 

=  (transaction(vhdltime(3000000,0) ,a\29) , 
transaction(vhdltime(0,0) ,a\29)) 


=  a\29  usxor  cin\l7 

=  sujn\22 
waveform  =  () 

=  (transaction(vhdltime(5000000 ,0) , 
a\29  usxor  cin\l7) , 
transaction(vhdltime(0,0) , 
s;im\22) ) 


=  cout\24 
=  cout\24 

waveform  =  (transact ion(vhdltime (7000000, 0) , 

(x\l3  kk  y\l5  usor 
x\l3  kk  cin\l7)  usor 
y\l5  kk  cin\l7)) 

=  (transaction(vhdltime(0,0) ,cout\24) ) 


<sdvs  ,5.11.19.1.4>  vhdl-proccsses 
process-names  [all]  :  <CR> 


process  UPDATE. A  : 


current  state  =  SUSPENDED 


process  UPDATE.SUM  : 

current  state  =  SUSPENDED 


process  UPDATE.COUT  : 

current  state  =  SUSPENDED 


<sdvs  .5 . 11 . 19 , 1 .4>  apply 

sd/number [highest  applicable/once]:  3 

action  —  <END  EXECUTION  CYCLE> 


action  —  <BEGIN  EXECUTION  CYCLE: 

1.  ADVANCE  EXECUTION  TIME, 

2.  UPDATE  SIGNALS, 

3.  RESUME  PROCESSES > 


apply  -- 


[sd  pre: 
comod : 
mod: 
post : 


(true) 

(all) 

(adder \pc, vhdlt ime, vhdlt ime.previous ,cout) 
(#vhdltime  =  vhdltirae (7000000 ,0) , 
#vhdltime_previous  =  .vhdltime, 

<UPDATE  SIGNALS>)] 


<sdvs  .5.11.19.1.7>  vlidlti'ine 


global  time  =  7000000 

delta  time  =  0 


<sdvs  .5 . 11 . 19 . 1 .7> 
signal-names  [all] 
simplify? [no] 


vhdUsicjnals 
:  a,  sum,  coat 
:  yes 
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signal  A  : 


current  value 

=  a\29 

previous  value 

=  a\29 

projected  output 

waveform  =  () 

driver  history 

=  (trainsact ion (vhdltime (3000000 ,0)  ,a\29)  , 
transaction(vhdltime(0,0) ,a\29)) 

signal  SUM  : 

current  value 

=  a\29  usxor  cin\17 

previous  value 

=  sum\22 

projected  output 

waveform  =  () 

driver  history 

=  (traiisactionCvhdltime  (5000000 ,0)  , 
a\29  usxor  cin\l7) , 
transaction(vhdltime(0,0) , 
sum\22) ) 

signal  GOUT  : 

current  value 

=  (x\l3  tk  y\l5  usor 

x\13  kk  cin\17)  usor 
y\l5  kk  cin\l7 

previous  value 

=  cout\24 

projected  output 

waveform  =  () 

driver  history 

=  (transaction(vhdltime(7000000,0) , 

(x\13  kk  y\l5  usor 
x\l3  kk  cin\l7)  usor 
y\15  kk  cin\l7), 
transaction(vhdltime(0,0) , 
cout\24) ) 

<sdvs  .5.11.19.1.7>  vlidl-proccsses 
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process-names  [all]  :  <CR> 


process  UPDATE.A  : 

current  state  =  SUSPENDED 


process  UPDATE.SUM  : 

current  state  =  SUSPENDED 


process  UPDATE^COUT  : 

current  state  =  SUSPENDED 

At  this  point,  no  signal  drivers  are  active,  and  no  processes  are  scheduled  to  resume.  There- 
fore,  the  VHDL  model  will  suspend  execution  indefinitely  (that  is,  until  it  receives  a  new 
value  for  an  input  port). 

< sdvs  .5.11.19.1.7>  apply 

sd/number [highest  applicable/once]:  4 

action  —  <END  EXECUTION  CYCLE> 

action  --  <BEGIN  EXECUTION  CYCLE: 

1.  ADVANCE  EXECUTION  TIME, 

2.  UPDATE  SIGNALS, 

3.  RESUME  PROCESSES> 

action  —  <END  VHDL  MODEL  EXECUTION> 

apply  [sd  pre:  (true) 
comod:  (all) 

mod:  (adder \pc) 

post :  (vhdl.model.execution_complete (adder) )] 

<sdvs  whynoUjoal 

simplify?  [no]  :  <CR> 

g(l)  |#cout  @  #sum|  =  |(x\36  ++  y\37)  ++  cin\38| 

The  goal  g(l)  is  established  by  a  static  proof  that  appeals  directly  to  the  lemma 
append^c  outturn,  lemma: 


<sdvs  .5 . 11 . 19 . 1 . 11>  provehylernnux 

formula  to  prove:  \.cout  @  =  \  (,x  -f-f  .y)  .cm| 

lemma  name[]:  <CR> 

provebylemma  app end _c out _ s um . lemma  |.cout  @  .sum] 

=  I ( .X  ++  .y)  ++  .cin| 

<sdvs  .5.11.19.1. 12>  xuhynoigoal 
simplify?  [no]  :  <CR> 

The  goal  is  TRUE.  Type  'closed 

<sdvs  .5.11.19.1. 12>  close 

close  11  steps/applications 

open  —  [sd  pre :  ("(.a  =  val (. driver\a, . vhdltime. previous) ) ) 
comod:  (all) 
mod:  (all) 

post:  (|#cout  i  #sum| 

=  |(x\36  ++  y\37)  ++  cin\38|, 
vhdl.model.execution.complete (adder) )] 

Complete  the  proof. 

The  second  case  lia.s  now  l;een  opened,  wherein  the  current  and  previous  values  of  signal  a 
are  asserted  to  ])e  different. 

Note  that  the  vhdltime  has  reverted  back  to  vhdltime(3000000 ,0) ,  and  the  signals  have 
reverted  to  their  states  at  the  ])eginning  of  the  previous  case,  except  that  the  current  value 
of  signal  a  this  time  is  the  bit  T’,  represented  in  the  Simplifier  as  the  bitstring  1(1)  with 
integer  value  1  and  length  1. 

<sdvs  .5. 11. 19.2. 1>  vhdltime 


global  time  =  3000000 

delta  time  =  0 


<sdvs  .5.11.19.2.1>  xdidU signals 
signal-names  [all]  :  a,  sum,  coat 
simplify? [no]  :  yes 


signal  A  : 


current  value  =  a\86 

previous  value  =  a\29 

projected  output  waveform  =  () 

driver  history  =  (transaction(vhdltime (3000000, 0) ,a\86) , 

transaction(vhdltime(0,0) ,a\29) ) 

signal  SUM  : 

current  value  =  sum\22 

previous  value  =  suin\22 

projected  output  waveform  =  (transaction (vhdltime (5000000 ,0) , 

a\29  usxor  cin\l7)) 

driver  history  =  (transaction(vhdltime(0,0) ,sum\22)) 

signal  GOUT  : 

current  value  =  cout\24 

previous  value  =  cout\24 

projected  output  waveform  =  (transaction(vhdltime(7000000,0) , 

(x\l3  &&  y\l5  usor 
x\13  &&  cin\l7)  usor 
y\l5  &.&  cin\l7)) 

driver  history  =  (transaction(vhdltime(0,0) ,cout\24) ) 

<sdvs.5.11.19.2.1>  vhdl-proccsses 
process-names  [all]  :  <CR> 


process  UPDATE. A  : 


current  state 


SUSPENDED 


process  UPDATE.SUM  : 

current  state  =  SUSPENDED 

scheduled  time  =  VHDLTIME(3000000 ,0) 

scheduled  reason  =  SENSITIVITY 


process  UPDATE.COUT  : 

current  state  =  SUSPENDED 

Since  the  current  cases  Inancli  presumes  an  event  on  the  signal  a,  the  scheduled  process 
update^sum  does  resume  execution. 

<sdvs.5.11.19.2.1>  iisd 

[sd  pre:  (.a  "=  val( . driver\a, . vhdltime.previous) ) 
comod:  (all) 

mod:  (adder \pc) 
post:  (Csd  pre:  (true) 
comod:  (all) 

mod:  (adder\pc) 

post:  (<EXECUTE  PROCESS:  UPDATE.SUM>)] )] 

<sdvs . 5 . 1 1 . 19 . 2 . 1 >  go 
untilC]:  <CR> 

apply  --  [sd  pre:  (.a  '=  val( . driver\a, . vhdltime.previous) ) 
comod:  (all) 

mod:  (adder\pc) 
post:  ([sd  pre:  (true) 
comod:  (all) 

mod:  (adder \pc) 

post:  (<EXECUTE  PROCESS:  UPDATE^UM>)] )] 
action  --  <EXECUTE  PROCESS:  UPDATE,SUM> 
go  —  no  more  declarations  or  statements 


< sdvs  .5. 11. 19. 2. 3>  usable 


u(l)  [sd  pre: 


comod : 
mod: 
post : 


(“  (preemptionC  .driver\suin, 

transact ion(timeplus( .vhdltime, 

vhdltime (5000000 , 0) ) , 

.a  usxor  .cin)))) 

(all) 

(adder\pc , driver\sum) 

(#driver\siijii 

=  inertial_update(  .driver\siim, 

tr ans  ac t ion ( t imeplus ( . vhdlt ime , 

vhdltime (5000000,0)) , 
.a  usxor  .cin)) , 


<VHDLTR>)] 


u(2)  [sd  pre: 


comod : 
mod: 
post : 


(preemption( .driver\sum, 

transaction(timeplus( .vhdltime, 

vhdltime (5000000 , 0) ) , 
.a  usxor  .cin))) 


(all) 

( adder\pc , driver\sum) 

(#driver\sum 

=  inertial. update( . driver\sum, 

transaction (t imeplus ( . vhdltime , 

vhdlt ime (5000000,0)) , 
. a  usxor  . cin) ) , 

<VHDLTR>)] 


No  usable  quantified  formulas. 

<sdvs  .  5 . 1 1 . 19 . 2 . 3>  'whynotapply 

state  delta [  highest  usable] :  u 

number :  2 

Because  the  following  is  not  known  to  be  true  -- 
preemption( .driver\sum, 

transaction (t imeplus ( . vhdltime , vhdltime (5000000 , 0) ) , 

.a  usxor  .cin)) 

We  have  arrived  at.  the  second  crucial  point  to  understand  in  the  symbolic  execution;  it 
revisits  the  earlier  discussion  of  the  preemi>tive  semantics  of  inertial  driver  update. 

The  single  action  of  process  update_sum  is  to  update  the  driver  of  signal  sum,  and  the 
manner  in  which  this  update  takes  place  depends  on  whether  or  not  the  value  of  the  existing 
transaction  on  that  driver’s  projected  output  waveform,  namely  cin\l7  (=  .  cin),  is  or  is  not 


equal  to  the  value  to  l:>e  scheduled  by  the  update  transaction,  namely  .a  usxor  .cin.  The 
semantics  of  inertial  driver  update  in  VHDL  requires  that  the  former  (existing)  transaction 
be  deleted  if  these  values  are  different  {preemption),  but  retained  if  they  are  the  same. 

Thus,  we  again  need  to  open  a  proof  by  cases  at  this  juncture  on  whether  or  not  preemption 
will  take  place: 

<sdvs.5.11.19.2.3>  cases 

case  predicate:  preempt  ion  (.  dr  iver\suin, 

transactionCtimeplusC . vhdltime , 

vhdltime(5000000,0)) , 

.a  usxor  .cin)) 


cases  --  preempt ion ( ,driver\sum, 

transact ion (timeplus ( . vhdltime , 

vhdltime (5000000,0) ) , 
.a  usxor  .cin)) 


open  --  [sd  pre : 


comod : 
mod: 
post : 


(preemptionC . driver\sum, 

transactionCtimeplus ( .vhdltime , 

vhdltime (5000000,0)) , 
.a  usxor  .cin))) 

(all) 

(all) 

(|#cout  f  #sum| 

=  1  (x\36  ++  y\37)  ++  cin\38|, 
vhdl_model_execution_complete( adder) )] 


<sdvs .5 . 11 . 19 .2 .3 . 1 . 1>  usd 


[sd  pre:  (preemption( . driver\sum, 

transaction (timeplus ( . vhdltime , 

vhdltime (5000000 , 0) ) , 
. a  usxor  . cin) ) ) 


comod : 
mod : 
post : 


(all) 

(adder \pc , driver\sum) 

(#driver\sum 

=  inertial^update( ,driver\sum, 

transaction(timeplus ( . vhdltime , 

vhdltime (5000000,0)) , 
. a  usxor  .cin)) , 

<VHDLTR>)] 


<sdvs  .5. 11 . 19.2.3. 1 .  1>  apply 

sd/number [highest  applicable/once]:  <CR> 


apply  --  [sd  pre: 


comod: 
mod: 
post : 


(preemptionC  .  driver\siim, 

transact ion (timeplus ( . vhdltime , 

vhdltime (5000000,0) ) , 
.a  usxor  .cin))) 

(all) 

(adder  \pc,  dr  iver\siim) 

(#driver\sum 

=  inert ial_update( 

.driver\sii[n, 

transact ion(timeplus( .vhdltime , 

vhdltime(5000000,0)) , 

.a  usxor  .cin) 


), 

<VHDLTR>)] 


<  sdvs  .5.11.19.2.3.1.2>  vl  id  I- signals 
signal-names  [all]  :  a,  sum,  cant 
simplify? [no]  :  yes 


signal  A  : 

current  value  =  a\86 

previous  value  =  a\29 

projected  output  waveform  =  () 

driver  history  =  (transaction(vhdltime(3000000,0) ,a\86) , 

t r ans  act ion ( vhdlt ime (0,0),a\29)) 

signal  SUM  : 

current  value  =  sum\22 

previous  value  =  sum\22 

projected  output  waveform  =  (transaction(vhdltime(8000000,0) , 

a\86  usxor  cin\l7)) 

driver  history  =  (transaction(vhdltime(0 ,0) ,sum\22) ) 


signal  GOUT  : 


current  value  =  cout\24 

previous  value  =  cout\24 

projected  output  waveform  =  (transaction(vhdltiine(7000000,0) , 

(x\l3  kt  y\l5  usor 
x\l3  kk  cin\l7)  usor 
y\l5  kk  cin\l7)) 

driver  history  =  (transaction(vhdltiine(0,0)  ,cout\24)) 

Observe  how  transaction (vhdltime (5000000 , 0)  j  a\29  usxor  cin\l7)  has  been  preempted 
from  driver\sum  by  transaction(vhdltime(8000000,0)  ,a\86  usxor  cin\l7). 

From  this  point  on,  the  proof  proceeds  essentially  as  before,  with  the  only  difference  being 
that  the  times  to  which  vhdltime  gets  to  advance  are  a  little  different.  Note,  in  particular, 
that  now  vhdltime (8000000,0)  is  achieved. 


<sdvs  .5.11.19.2.3.1.2>  (jo 
untilC]:  <CB.> 


action  <SUSPEND  PROCESS:  UPDATE. SUM> 
action  —  <END  EXECUTION  CYCLE> 

action  --  <BEGIN  EXECUTION  CYCLE: 

1.  ADVANCE  EXECUTION  TIME, 

2.  UPDATE  SIGNALS, 

3.  RESUME  PROCESSES> 


apply 


[sd  pre: 
comod: 
mod : 
post : 


(true) 

(all) 

( adder \pc , vhdltime , vhdlt ime. previous , cout ) 
(#vhdltime  =  vhdltime(7000000,0) , 

# vhdlt ime.previous  =  .vhdltime, 

<UPDATE  SIGNALS>)] 


action  --  <END  EXECUTION  CYCLE> 


action  --  <BEGIN  EXECUTION  CYCLE: 

1.  ADVANCE  EXECUTION  TIME, 

2.  UPDATE  SIGNALS, 

3.  RESUME  PROCESSES > 


apply  ““  [sd  pre: 

comod : 
mod: 
post : 


(true) 

(all) 

(adder\pc ,  vhdltime ,  vhdltime_previous  ,smn) 
(#vhdltime  =  vhdltime (8000000, 0) , 
#vhdltime^previous  =  .vhdltime, 

<UPDATE  SIGNALS>)] 


action  --  <END  EXECUTION  CyCLE> 


action  —  <BEGIN  EXECUTION  CYCLE: 

1.  ADVANCE  EXECUTION  TIME, 

2.  UPDATE  SIGNALS, 

3.  RESUME  PROCESSES > 


action  --  <END  VHDL  MODEL  EXECUTION> 


apply  —  [sd  pre:  (true) 
comod:  (all) 

mod:  (adder\pc) 

post :  (vhdl.model^execution.complete(adder) )] 
go  --  no  more  declarations  or  statements 
<sdvs  .5.11.19.2.3.1. 13>  vhdltime 


global  time  =  8000000 

delta  time  =  0 

<sdvs  .5.11.19.2.3.1. 13>  vhdl-sujnals 
signal-names  [all]  :  a,  sv/ni,  cout 
simplify? [no] :  yes 

signal  A  : 

current  value  =  a\86 

previous  value  =  a\29 

projected  output  waveform  =  () 


driver  history 


(transaction(vhdltime(3000000,0) ,a\86) , 


transaction(vhdltime(0 ,0) ,a\29) ) 


signal  SUM  : 
current  value 


a\86  usxor  cin\l7 


previous  value  =  suiii\22 

projected  output  waveform  =  () 

driver  history  =  (transaction(vhdltime(8000000,0) , 

a\86  usxor  cin\l7), 
transaction(vhdltime(0 ,0) , 
suin\22) ) 


signal  COUT  : 

current  value  =  (x\l3  kk  y\l5  usor 

x\13  kk  cin\l7)  usor 
y\15  kk  cin\l7 

previous  value  =  cout\24 

projected  output  waveform  =  () 


driver  history  =  (transact ion(vhdltime (7000000, 0) , 

(x\l3  kk  y\l5  usor 
x\13  kk  cin\17)  usor 
y\l5  kk  cin\l7) , 
transaction(vhdltime(0,0) , 
cout\24) ) 


<sdvs  .5.11.19.2.3.1. 13>  vhdUproctsscs 
process-names  [all]  :  <CR> 


process  UPDATE. A  : 

current  state  =  SUSPENDED 


process  UPDATE.SUM  : 
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current  state 


SUSPENDED 


process  UPDATE. GOUT  : 

current  state  =  SUSPENDED 

<sdvs  .5.11.19.2.3.1. 13>  xohynoUjoal 
simplify? [no]  :  <CR> 

g(l)  |#cout  @  #sum|  =  |(x\36  ++  y\37)  ++  cin\38| 

<sdvs  .5.11.19.2.3.1. 13>  pTOvebylenima 

formula  to  prove:  \,co'at  @  .vS-'um|  =  \  (.x  -/--f  ,y)  -h-h  .cm| 
lemma  name[]:  <CR> 

provebylemma  append. cout. sum. lemma  —  |.cout  <9  .sum| 

=  |(.x  ++  .y)  ++  .cin| 

<sdvs  .5.11.19.2.3.1. 14>  xuliynotyoal 
simplify?  [no]  :  <CR> 

The  goal  is  TRUE.  Type  ‘close'. 

< sdvs  .5,11.19.2.3.1.14>  close 

close  —  13  steps/applications 

open  --  [sd  pre:  (**  (preempt ion (.  driver\sum, 

transact ion(timeplus ( . vhdltime , 

vhdltime (5000000 ,0) ) , 
.a  usxor  .cin)))) 

comod:  (all) 
mod:  (all) 

post:  (|#cout  @  #suml 

=  l(x\36  ++  y\37)  ++  cin\38|, 
vhdl.model. execution. complete (adder) )] 

Complete  the  proof. 

<sdvs .5.11.19.2.3.2.1>  nsd 
[sd  pre:  (" (preemption( . driver\sum, 


comod : 
mod : 
post : 


transactionCtimeplus ( . vhdltime , 

vhdlt ime (5000000 , 0) ) , 
.a  usxor  .cin)))) 


(all) 

(adder\pc  ,driver\suin) 

(#driver\suin 

=  inertial_update(  .driver\siim, 

transaction ( t imeplus ( . vhdlt ime , 

vhdlt ime (5000000 , 0) ) , 
.a  usxor  . cin)) , 

<VHDLTR>)] 


<sdvs.5. 11 . 19.2.3.2. 1>  apply 

sd/number  [highest  applicable/once] : 


apply  --  [sd  pre:  ('“(preemption(  .driver\sum, 

transact ion(t imeplus ( .vhdltime, 

vhdlt ime (5000000 , 0) ) 
.a  usxor  .cin)))) 


comod : 
mod: 
post : 


(all) 

(adder\pc , driver\sum) 

(#driver\sum 

=  inert ial.update( 

.driver\sum, 

transaction (t imeplus ( .vhdltime, 

vhdlt ime (5000000,0)) , 
.a  usxor  .cin) 


), 

<VHDLTR>)] 


<sdvs  .5.11.19.2.3.2.2>  vhdUsiynals 
signal-names  [all] :  a,  sum,  cout 
simplify? [no] :  yes 


signal  A  : 

current  value  =  a\86 

previous  value  =  a\29 

projected  output  waveform  =  () 

driver  history  =  (transaction(vhdltime(3000000,0) ,a\86) , 

trcLnsaction(vhdltime(0,0)  ,a\29)) 


signal  SUM  : 


current  value  =  suin\22 

previous  value  =  suiii\22 

projected  output  waveform  =  (transact ion(vhdltime (5000000, 0) , 

a\86  usxor  cin\l7), 
transaction(vhdltiine(8000000,0)  , 
a\86  usxor  cin\17)) 

driver  history  =  (transaction(vhdltime(0,0)  ,suni\22)) 

signal  GOUT  : 

current  value  =  cout\24 

previous  value  =  cout\24 

projected  output  waveform  =  (transaction(vhdltime(7000000 ,0) , 

(x\l3  &&  y\i5  usor 
x\13  &&  cin\l7)  usor 
y\l5  &&  cin\l7)) 

driver  history  =  (transaction(vhdltime(0,0) ,cout\24)) 

We  have  entered  the  case  where  the  value  scheduled  for  sum  at  time  vhdltime (5000000,0) 
will  not  be  preempted;  that  is,  the  previously  scheduled  value  a\29  usxor  cin\l7  and 
the  newly  schediiled  value  a\86  usxor  cin\l7  are  considered  ecpiivalent,  as  reflected  by 
examination  of  sum’s  projected  output  waveform  after  application  of  the  state  delta. 

The  proof  now  proceeds  much  a-s  l>efore,  with  the  only  difference  l)eing  manifested,  again, 
in  the  times  to  which  vhdltime  gets  to  a.dvauce. 


<sdvs  .5 . 11 . 19 .2 . 3 . 2 . 2>  go 
until[]:  <CB> 

action  —  <SUSPEND  PROCESS:  UPDATE.SUM> 
action  —  <END  EXECUTION  CYCLE> 
action  —  <BEGIN  EXECUTION  CYCLE: 
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1.  ADVANCE  EXECUTION  TIME, 

2.  UPDATE  SIGNALS, 

3.  RESUME  PROCESSES> 

apply  —  [sd  pre:  (true) 
comod;  (all) 

mod:  (adder\pc , vhdltime , vhdltime_previous , sum) 
post:  (#vhdltime  =  vhdltime (5000000 ,0) , 
#vhdltirae_previous  =  .vhdltime, 

<UPDATE  SIGNALS>)] 

action  —  <END  EXECUTION  CYCLE> 

action  —  <BEGIN  EXECUTION  CYCLE: 

1.  ADVANCE  EXECUTION  TIME, 

2.  UPDATE  SIGNALS, 

3.  RESUME  PRO CESSES > 

apply  --  [sd  pre:  (true) 
comod:  (all) 

mod:  (adder \pc, vhdltime, vhdltime_previous ,cout) 
post:  (tvhdltime  =  vhdlt ime (7000000 ,0)  , 
#vhdltime_previous  =  .vhdltime, 

<UPDATE  SIGNALS>)] 

action  —  <END  EXECUTION  CYCLE> 

action  —  <BEGIN  EXECUTION  CYCLE: 

1.  ADVANCE  EXECUTION  TIME, 

2.  UPDATE  SIGNALS, 

3.  RESUME  PRO CESSES > 

apply  —  [sd  pre:  (true) 
comod:  (all) 

mod :  (adder\pc , vhdltime , vhdlt ime_previous , sxim) 
post:  (tvhdltime  =  vhdltime(8000000,0) , 
tvhdltime.previous  =  .vhdltime, 

<UPDATE  SIGNALS>)] 

action  —  <END  EXECUTION  CYCLE> 

action  —  <BEGIN  EXECUTION  CYCLE: 

1.  ADVANCE  EXECUTION  TIME, 

2.  UPDATE  SIGNALS, 

3.  RESUME  PROCESSES> 
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action  —  <END  VHDL  MODEL  EXECUTION> 


**♦  Execution  Time  reached  TIME 'HIGH  : 

no  active  drivers  or  resuming  processes  *** 

apply  [sd  pre:  (true) 
comod:  (all) 

mod:  (adder\pc) 

post :  (vhdl_model_execution.complete(adder) )] 
go  —  no  more  declarations  or  statements 
<sdvs  .5.11.19.2.3.2. 16>  vlidltimc 


global  time  =  8000000 

delta  time  =  0 

<sdvs  .5.11.19.2.3.2. 16>  vlidUsicjuals 
signal-names [all] :  a,  sum,  cout 
simplify? [no] :  yes 

signal  A  : 


current  value 

CD 

00 

II 

previous  value 

=  a\29 

projected  output 

waveform  =  () 

driver  history 

=  (transact ion(vhdltime (3000000,0) ,a\86) , 
transaction(vhdltime(0 ,0) ,a\29) ) 

signal  SUM  : 

current  value 

=  a\86  usxor  cin\l7 

previous  value 

=  a\86  usxor  cin\l7 

projected  output  waveform  =  () 


driver  history 

=  (transaction(vhdltime(8000000,0) , 
a\86  usxor  cin\l7), 
transaction(vhdltime (5000000 ,0) , 
a\86  usxor  cin\l7) , 
transaction(vhdltime(0,0) , 
sum\22) ) 

signal  GOUT  : 

current  value 

=  (x\l3  kk 

x\l3  kk 
y\l5  kk 

y\15  usor 
cin\l7)  usor 
cin\l7 

previous  value 

-  cout\24 

projected  output  waveform  =  () 


driver  history  =  (transaction(vhdltime (7000000 ,0) , 

(x\l3  &&  y\i5  usor 
x\13  &&  cin\l7)  usor 
y\l5  kk  cin\l7), 
traiisaction(vhdltime(0,0) , 
cout\24) ) 


<sdvs.5.11.19.2.3.2.16>  vhd  Uproccssts 
process-names [all] : 

process  UPDATE_A  : 

current  state  =  SUSPENDED 


process  UPDATE.SUM  : 

current  state  =  SUSPENDED 


process  UPDATE.COUT  : 


current  state 


SUSPENDED 


<sdvs  .5.11.19.2.3.2. 16>  xohynotgoal 
simplify? [no]  : 

g(l)  |#cout  @  #suin|  =  |(x\36  ++  y\37)  ++  cin\38| 

<sdvs .5.11.19.2.3.2.16>  provebylemma 

formula  to  prove:  |.cout  @  .sum]  =  |(.x  ++  .y)  ++  .cin| 
lemma  nameC]  : 

provebylemma  append^cout. sum. lemma  --  |.cout  @  .sum| 

=  |( .X  ++  .y)  ++  .cin 

<sdvs  .5 . 11. 19.2.3.2. 17 >  'wliynoUjoal 
simplify?  [no]  : 

The  goal  is  TRUE.  Type  ^close'. 

<sdvs  .5. 11. 19.2.3.2. 17>  close 

close  16  steps/applications 

join  —  [sd  pre:  (true) 
comod:  (all) 
mod:  (all) 

post:  (|#cout  @  #sum| 

~  I  (x\36  ++  y\37)  ++  cin\38|, 
vhdl.model.execution^complete (adder) )] 

close  --  3  steps/applications 

join  —  [sd  pre:  (true) 
comod:  (all) 
mod:  (all) 

post:  (|#cout  @  #sum|  =  |  (x\36  ++  y\37)  ++  cin\38| , 
vhdl.model_execution_complete (adder) )] 

close  —  19  steps/applications 

Complete  the  proof. 

<sdvs  .  5 . 12>  whyiiotyodl 
simplify?  [no]  :  <  CR> 

The  goal  is  TRUE.  Type  "closed 
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<sdvs .5. 12> 


close 


close  --  11  steps/applications 
<sdvs  .6> 
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7.2.3  Batch  proof 


The  batch  proof  shown  here  is  essentially  a  (huiip  of  the  proof  developed  in  the  preceding 
section,  with  successive  apply  cominands  merged  into  invocations  of  the  go  command. 
Recall  that,  with  the  autoclose  flag  set  to  off,  the  go  command  applies  successive  highest 
applicable  state  deltas  until  the  top  usable  state  delta  is  not  applicable  or  the  indicated 
condition  (if  any)  is  achieved. 

(def proof  full.adder.dat af low . proof 
“(setflag  autoclose  off, 

vhdltr  adder  \“testproof s/vhdl/\‘'  (\"full. adder. dataflow. vhdl\”)  none, 
read  \“testproofs/vhdl/full. adder. dataflow .  spec\'’ , 
read  \"testproofs/vhdl/full. adder. dataflow .  leininas\'‘ , 
prove  full. adder.dataf low . sd 
proof : 

(go  vhdl.inodel.elaboration.complete(adder) , 
prove  g(2) 
proof : 

(go. 

cases  .a  =  val( .driver\\a, .vhdltime.previous) 
then  proof : 

(go, 

provebylemma  | . cout  0  .sum I 

=  I ( .X  ++  .y)  ++  , cinl 
us ing :  append. cout . sum . 1 emma , 
close) 
else  proof: 

(go> 

cases  preemptionC .driver\\sum, 

transact ion(timeplus ( . vhdltime , 

vhdltime (5000000,0)) , 
.a  usxor  .cin)) 

then  proof : 

(go, 

provebylemma  1 , cout  @  .sum| 

=  I ( .X  ++  .y)  ++  .cinl 
us ing :  app  end . cout . sum . 1 emma , 
close) 
else  proof: 

(go, 

provebylemma  I  .  cout  @  .s\im| 

=  I ( .X  ++  .y)  ++  .cinl 
using:  append. cout. sum. lemma, 
close))) , 

close) ) ") 
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7.2.4  Lemma 


Here  we  record  tlie  leiaiiia  used  in  the  a.],)Ove  prooi.  It  liaij  a  straightforward  proof  by 
exhaustive  case  analysis. 

(def lemma  app e nd_c out _siun. lemma 
‘«(((((lh(x)  =  1  & 

lh(y)  =  1)  & 

Ih(cin)  -  1)  k 
Ih(sum)  =  1)  & 

Ih(cout)  =  1)  & 

sum  =  (x  usxor  y)  usxor  cin)  t 

cout  =  (x  &&  y  usor  x  tk  cin)  usor  y  kk  cin 
-->  I cout  @  sumi  =  I (x  ++  y)  ++  cinl" 

(x  y  cin  sum  cout)  nil  nil  nil 
: proof  "(provelemma  app end _ cout. sum. lemma 
proof : 
meases 

(case:  (x  =  0(1)  It  y  =  0(1))  k  cin  =  0(1) 
proof:  close 

case:  (x  =  0(1)  k  y  -  0(1))  k  cin  =  1(1) 
proof:  close 

case:  (x  =  0(1)  &  y  =  1(1))  k  cin  =  0(1) 
proof:  close 

case:  (x  =  0(1)  &  y  =  1(1))  k  cin  =  1(1) 
proof:  close 

case:  (x  =  1(1)  &  y  =  0(1))  k  cin  =  0(1) 
proof:  close 

case:  (x  =  1(1)  &  y  =  0(1))  k  cin  =  1(1) 
proof :  close 

case:  (x  =  1(1)  i  y  =  1(1))  k  cin  =  0(1) 
proof :  close 

case:  (x  =  1(1)  &  y  =  1(1))  &  cin  =  1(1) 
proof:  close))") 
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7.3  ISPS 


7.3.1  TR:  Translator  from  ISPS  to  state  deltas 

This  section  describes  the  action  of  the  TR  translator  on  the  machine  description  language 
ISPS. 

In  fact,  there  are  two  different  versions  of  the  translator  from  ISPS  to  state  deltas.  The  new 
translator  will  be  discussed  only  in  the  last  section  of  this  chapter.  It  is  still  to  be  considered 
experimental,  although  it  will  eventually  replace  the  old  translator.  It  has  been  generated 
by  the  same  uniform  method  as  the  translators  for  Ada  and  VHDL,  and  recognizes  a  slightly 
larger  piece  of  ISPS  (it  allows  ‘‘don’t  care”  digits,  and  bit  order  in  bitstrings  can  be  low  to 
high). 

The  version  of  ISPS  that  the  (old)  translator  (TR)  recognizes  differs  from  the  version  de¬ 
scribed  in  the  ISPS  manual  [4]  in  several  respects.  The  first  category  of  differences  contains 
those  aspects  of  the  “official”  ISPS  that  TR  does  not  support;  these  include  parallelism  and 
two’s-complement  arithmetic. 

The  second  category  of  differences  consists  of  extra  features  that  SDVS  needs  for  the  im¬ 
plementation  proof  paradigm.  For  example,  when  one  is  not  interested  in  implementing 
the  action  of  all  target  places,  some  of  the  machine  variables  (“place”  names)  must  be 
designated  as  significant  and  the  others  as  auxiliary.  The  mapping  is  defined  only  on  the 
designated  significant  places.  Another  useful  feature  is  the  capability  to  intersperse  stan¬ 
dard  ISPS  code  with  state  deltas.  This  can  be  used  when  one  is  not  interested  in  the  details 
of  how  a  certain  postcondition  was  brought  about,  but  only  in  its  effect,  or  in  case  that 
eflFect  is  not  expressible  in  ISPS. 

The  semantics  of  TR  are  described  in  [19],  [22],  and  [23];  problems  with  ISPS  are  described 
in  [24]. 


7.3.2  Marking 

SDVS  does  the  processing  necessary  to  turn  an  ISPS  program  into  an  equivalent  state 
delta  or  set  of  state  deltas.  Thus,  ISPS  programs  can  be  used  in,  or  as,  preconditions  or 
postconditions  of  state  deltas. 

We  present  an  example  illustrating  the  capability  to  execute  from  an  ISPS  mark  point.  One 
can  run  a  set  of  example  ISPS  proofs  by  typing  eval  (runtestproofs  Hsps-tests*). 

When  dealing  with  a  proof  based  on  state  deltas  created  by  TR  from  an  ISPS  program,  the 
user  does  not  have  a  convenient  method  of  handling  the  specific  state  deltas  representing 
the  “continuation”  of  the  program  from  each  control  point.  To  solve  that  problem,  the 
system  allows  the  user  to  label  the  location  of  control  points  in  the  ISPS  program. 

The  initial  and  final  control  points  are  named  by  the  system  <machine-name>\ STARTED 
and  <machine-name>\HALTED,  respectively.  The  exit  point  for  an  internal  subroutine, 
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<subroutine>,  is  <stibroutme>\exited. 

Consider  the  following  ISPS  program,  gcd.isp: 

gcd. machine  US  :=  BEGIN  !  gcd  algorithm  computes  gcd(x,y) 

!  for  inputs  x  and  y 

**  local .variables  ** 


!  input  variable  x 
!  input  variable  y 

!  indicates  common  factor  of  twos  between  x  and  y 
!  result  of  gcd(x,y) 

**  algorithm  ** 


x<15:0> , 
y<15:0>, 
twos<5 :0> , 
gcdresult<15:0> 


NEXT 


gcd  MAIN  :=  BEGIN 

twos  _  LAST, ONE (x  OR  y)  NEXT 
y  _  y  SRO  LAST. ONE (y)  NEXT 
X  -  X  SRO  LAST. ONE (x)  NEXT 
REPEAT 
BEGIN 

ml:=  IF  X  LSS  y  =>  x^y  _  y@x 

X  -  X  -  y  NEXT  ! 

m2:=  IF  X  EQL  0  => 

(m4  :=  gcdresult  _  y  NEXT  1 

gcdresult  _  gcdresult  SLO  twos  NEXT  ! 
LEAVE  gcd)  NEXT  !  and  exit 
m3:=  X  _  X  SRO  LAST.ONE(x)  ! 

END 


!  store  conmon  factor  of  twos 
!  strip  low-order  zeros  from  y 
!  strip  low-order  zeros  from  x 
!  main  loop 


!  swap  x,y  if  x<y 
assign  x-y  to  x 
!  if  x=0  (finished)  then 
assign  y  to  gcdxy, 
remember  common  twos, 

strip  low-order  zeros  from  x 


END 

END 


The  command  mpisps  generates  state  deltas  corresponding  to  the  state  changes  between 
mark  points,  instead  of  every  state  change  represented  in  the  unmarked  ISPS  program.  If 
mpisps  is  used  on  an  ISPS  program  with  a  potentially  infinite  loop  in  which  the  loop  does 
not  have  a  mark  point  at  the  top,  mpisps  will  not  terminate.  Gcd.isp  has  five  mark  points, 
including  the  initial  state,  which  is  a  default  mark  point. 

Mpisps  prompts  for  starting  mark  point,  stopping  mark  point,  and  preconditions. 


<sdvs.l>  mpisps 

path  name [testproof s/alias. isp]  : 

stcLTting  mark  point  []  : 
ending  mark  points  []  : 

preconditions  []  : 
xmique  name  level  [1]: 


testproofs/gcd.  isp 
<CR> 

<CR> 

<CR> 

<CR> 
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Parsing  ISPS  file  —  "testproof s/gcd. isp" 

Markpoint-to-markpoint  translating  ISPS  file  —  "testproof s/gcd. isp*’ 

[sd  pre:  ( .gcd.machine\upc  =  gcd.machine\started) 
mod :  (x , twos , y , gcd . machine\upc) 
post:  (#gcd.machine\upc  =  ml, 

#x  =  (zeros(|lastone(  .x)|)  6  .x) 

<15  +  |lastone(.x)|:|lastone(.x)|>, 

#y  =  (zeros(|lastone(.y)|)  Q  .y) 

<15  +  |lastone(.y)|:|lastone(.y)|>, 

#twos  =  lastone(.x  usor  .y))] 

[sd  pre:  (|.y|  gt  | .x| ,  .gcd.machine\upc  =  ml) 
mod :  (x , y , gcd . machine\up c ) 

post:  (#gcd.machine\upc  =  m2,#x  =  (.y  —  .x)<15:0>,#y  =  .x)] 

[sd  pre:  (|.y|  le  | .x| ,  .gcd.machine\upc  =  ml) 
mod:  (x,gcd.machine\upc) 

post:  (#gcd.machine\upc  =  m2,#x  =  (.x  —  .y)<15:0>)] 

[sd  pre:  (|.x|  =  0,  .gcd.machine\upc  =  m2) 
mod :  (gcd  .machine\upc) 
post:  (#gcd.machine\upc  =  m4)3 

[sd  pre:  (|.x|  "'=  0,  .gcd,machine\upc  =  m2) 
mod :  (gcd .machine\upc) 
post:  (#gcd.machine\upc  =  m3)] 

[sd  pre:  ( .gcd.machine\upc  =  m4) 

mod:  (gcdresult ,gcd.mac]iine\upc) 
post:  (#gcd.machine\upc  =  gcd.machine\halted, 

#gcdresult  =  (,y  0  zeros(|  .twos|))<15:0>)] 

[sd  pre:  ( .gcd.machine\upc  =  m3) 
mod :  (x  ,gcd  .machine\upc) 
post:  (#gcd.machine\upc  =  ml, 

#x  =  (zeros(|lastone(  .x)|)  <9  .x) 

<15  +  |lastone(.x)|:|lastone(.x)|>)] 

The  flag  displaympsds  was  on.  If  it  were  oflF,  the  above  state  deltas  would  not  be  displayed. 

<sdvs.2>  ppsd 

state  delta:  mpisps 
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file  name :  gcd,  isp 
starting  mark  point []:  <CR> 
ending  mairk  points []:  <CR> 
preconditions  []  :  < CR> 

covering  (gcd .  machine ,  x ,  y ,  twos ,  gcdr  esult ,  gcd .  machine\upc  ) 

declare (x , type (bitstring , 16) ) 

declare (y , type (bitstring , 16 ) ) 

declare (twos , type (bitstring , 6) ) 

declare (gcdresult , type (bitstring, 16) ) 

[sd  pre:  ( .gcd.machine\upc  =  gcd.machine\started) 
mod :  (x , twos , y , gcd . machine \upc) 
post:  (#gcd.machine\upc  =  ml, 

#x  =  (zeros(|lastone( .x)|)  @  .x) 

<15  +  |lastone(,x)|:|lastone(.x)|>, 

#y  =  (zeros(|lastone(.y)|)  €  .y) 

<15  ^  |lastone(.y)|:|lastone(.y)|>, 

#twos  =  lastone(.x  usor  .y))] 

[sd  pre:  (|.y|  gt  |  .x| ,  .gcd.machine\upc  =  ml) 
mod :  (x ,  y ,  gcd  .machine\upc) 

post:  (#gcd.machine\upc  =  m2,#x  =  (.y  —  .x)<15:0>,#y  =  .x)] 
[sd  pre:  (|.y|  le  |  .x| ,  .gcd*machine\upc  =  ml) 
mod :  (x , gcd . machine \upc) 

post:  (#gcd.machine\upc  =  m2,#x  =  (.x  —  .y)<15:0>)] 

[sd  pre:  (|.x|  =  0 ,  .gcd.machine\upc  =  m2) 
mod :  (gcd . machine\upc) 
post:  (#gcd.machine\upc  =  m4)] 

[sd  pre:  (|.x|  0,  .gcd.machine\upc  =  m2) 

mod :  (gcd . machine\upc) 

post:  (#gcd.machine\upc  =  m3)] 

[sd  pre:  ( .gcd.machine\upc  =  m4) 

mod:  (gcdresult ,gcd.machine\upc) 
post:  (#gcd.machine\upc  =  gcd.machine\halted, 

tgcdresult  =  (.y  @  zeros(|  .twos|))<15:0>)] 

[sd  pre:  ( ,gcd,machine\upc  =  m3) 

mod :  (x , gcd .machine \upc) 
post:  (#gcd.machine\upc  =  ml, 

#x  =  (zeros(|lastone( .x)|)  @  .x) 

<15  +  |lastone(.x)|:|lastone(.x)|>)] 

Now  we  will  Tise  mpisps  with  mark  points  chosen. 

<sdvs .  2>  mpisps 

path  name [testproofs/gcd. isp]  :  testproofs/gcd.isp 
starting  mark  point  []  :  m2 
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ending  mark  points  []  :  m3 

preconditions  []  :  < CR> 

xinique  name  level [1]:  <CR> 

Parsing  ISPS  file  —  “testproof s/gcd. isp‘' 

Markpoint-to-markpoint  translating  ISPS  file  —  "testproofs/gcd,isp" 

[sd  pre:  (|.x|  =  0,  .gcd.machine\upc  =  m2) 
mod :  (gcd .machine\upc) 
post:  (#gcd.mac]iine\upc  =  m4)] 

[sd  pre:  (|.x|  "=  0,  .gcd.machine\upc  =  m2) 
mod :  (gcd .machine\upc) 
post:  (#gcd,macliine\upc  =  m3)] 

[sd  pre:  ( .gcd.macliine\upc  =  m4) 

mod:  (gcdresult ,gcd.machine\upc) 
post:  (#gcd.machine\upc  =  gcd*machine\halted, 

#gcdresult  =  (.y  0  zeros(|  .twos|))<15:0>)] 

<sdvs.3>  mpisps 

path  name  [testproof  s/gcd  •  isp]  :  <  CR> 

starting  mark  point  □  :  m2 
ending  mark  points  □  :  <CR> 
preconditions  □  :  <  CR> 

unique  name  level  [1]:  <CR> 

Parsing  ISPS  file  —  "testproof s/gcd. isp*' 

Markpoint-to-markpoint  translating  ISPS  file  —  "testproof s/gcd. isp" 

[sd  pre:  (|.x|  =  0,  .gcd.machine\upc  =  m2) 
mod :  (gcd .machine\upc) 
post:  (#gcd, machine \upc  = 

[sd  pre:  (|.x|  "=  0,  .gcd.machine\upc  =  m2) 
mod :  (gcd  .machine\upc) 
post:  (#gcd.machine\upc  =  m3)] 

[sd  pre:  ( .gcd.machine\upc  =  m3) 
mod :  (x , gcd . machine\upc) 
post:  (#gcd.machine\upc  =  ml, 

#x  =  (zeros(|lastone(  .x)|)  0  .x) 

<15  +  |lastone(  .x)  I :  |lastone(  .x)|>)] 
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[sd  pre:  ( .gcd.machine\upc  =  m4) 

mod:  (gcdresult ,gcd.machine\upc) 
post:  (#gcd.machine\upc  =  gcd.machine\halted, 

#gcdresult  =  (.y  @  zeros(|  .twos|))<15:0>)] 

[sd  pre:  (|.y|  le  j .x| ,  .gcd.machine\upc  =  ml) 
mod:  (x,gcd. machine \upc) 

post:  (#gcd.machine\upc  =  m2,#x  =  (.x  —  .y)<15:0>)] 

[sd  pre:  (|.y|  gt  |  .x| ,  .gcd.machine\upc  =  ml) 
mod:  (x,y ,gcd.machine\upc) 

post:  (#gcd.machine\upc  =  m2,#x  =  (.y  —  .x)<15:0>,#y  =  .x)] 
<sdvs.4>  mpisps 

path  name[testproofs/gcd. isp]  :  <CR> 
starting  mark  point  □  :  Tti2 
ending  mark  points □:  <CR> 

preconditions □  :  |.a:|  ge  |.y| 

unique  name  level  [1]  :  <CR> 

Parsing  ISPS  file  --  "testproof s/gcd. isp" 

Markpoint-to-markpoint  translating  ISPS  file  —  "testproof s/gcd. isp" 

[sd  pre:  (|.x|  ge  |.y|,|.x|  =  0,  .gcd.machine\upc  =  m2) 
mod :  (gcd . machine\upc) 
post:  (#gcd.machine\upc  =  m4)] 

[sd  pre:  (|.x|  ge  |.y|,|.x|  ”=  0,  .gcd.machine\upc  =  m2) 
mod:  (gcd.machine\upc) 
post:  (#gcd.machine\upc  =  m3)] 

[sd  pre:  ( .gcd.machine\upc  =  m3) 
mod:  (x,gcd.machine\upc) 
post:  (#gcd.machine\upc  =  ml, 

#x  =  (zeros(|lastone( .x)|)  8  .x) 

<15  +  |lastone(  .x)  I  :|lastone(  .x)|>)] 

[sd  pre:  ( .gcd.machine\upc  =  m4) 

mod:  (gcdresult , gcd. machine\upc) 
post:  (#gcd.machine\upc  =  gcd.machine\halt6d, 

tgcdresult  =  (.y  8  zeros(l.twos|))<lS:0>)] 

[sd  pre:  (|.y|  le  | .x] ,  .gcd.machine\upc  =  ml) 


206 


mod :  (x , gcd . machine\upc) 

post:  (#gcd.machine\upc  =  m2,#x  =  (.x  —  .y)<15:0>)] 

[sd  pre:  (|.y|  gt  |  .x| ,  .gcd.machine\upc  =  ml) 
mod :  (x , y , gcd , machine\upc) 

post:  (#gcd.machine\upc  =  m2,#x  =  (,y  —  .x)<15:0>,#y  =  .x)] 


<  s  dvs .  5  >  mpisps 

path  name[testproof s/gcd.isp]  :  <CR> 
starting  mark  point  []  :  7n2 

ending  mcirk  points □  :  <CR> 
preconditions  □  :  \.x\  =  0 

unique  name  level [1]:  <CR> 


Parsing  ISPS  file  —  "testproof s/gcd. isp" 

Markpoint-to-markpoint  translating  ISPS  file  —  "testproofs/gcd.isp" 

[sd  pre:  (|.x|  =  0,  .gcd.machine\upc  =  m2) 
mod :  (gcd .machine\upc) 
post:  (#gcd.machine\upc  =  m4)] 

[sd  pre:  ( .gcd.machine\upc  =  m4) 

mod :  (gcdresult , gcd .machine\upc) 
post:  (#gcd.machine\upc  =  gcd. machine \halted, 

#gcdresult  =  (.y  0  zeros (|  .twos|) ) <15 :0>)] 


The  differences  between  isps  and  mpisps  are  as  follows: 


1.  isps  gives  an  incremental  translation  (with  TRs  in  the  postcondition);  mpisps  gives 
a  set  of  state  deltas; 

2.  isps  translates  every  state  ISPS  state  change;  mpisps  accumulates  effects  from  mark 
point  to  mark  point; 

3.  mpisps  takes  account  of  extensions  of  ISPS  by  state  deltas,  assumptions,  and  external 
and  auxiliary  variables;  and 

4.  isps(iile.isp)  should  be  used  only  in  the  precondition  of  a  state  delta  (as  a  host  de¬ 
scription). 


Extensions  of  ISPS 

The  user  may  extend  ISPS  code  in  two  main  ways: 
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1.  by  interspersing  assumptions  or  state  deltas  between  ISPS  statements,  and 

2.  by  declaring  some  ISPS  variables  to  be  external  or  auxiliary. 

These  extensions  were  found  to  be  useful  in  specifying  real  machines  in  the  context  of  setting 
up  implementation  proofs. 


7.3.4  Extending  ISPS  by  assumptions  and  state  deltas 

The  two  methods  for  extending  ISPS  that  are  discussed  in  this  section  are 


1.  assumptions  !![ASSUME:  (expr)]^  and 

2.  inserting  state  deltas  !![SD  (pre)  (comod)  (mod)  (post)]. 


The  expr  field  in  assumption  is  any  state  delta  formula  (note  that  a  statement  such  as  “#x 
=  1”  is  not  a  legal  state  delta  formula);  it  is  interpreted  to  be  a  precondition  to  the  rest  of 
the  ISPS  routine.  In  other  words,  if  the  assumption  is  not  true,  execution  cannot  continue 
from  that  point. 

The  extended  state  delta  is  interpreted  with  the  same  internal  semantics  as  any  state  delta, 
and  with  the  same  control  as  if  it  had  been  a  regular  ISPS  statement.  It  is  useful  for 
expressing  state  changes  that  cannot  be  expressed  in  ISPS.  Notice  that  one  may  make  a 
static  assertion  by  using  an  extended  state  delta  with  nil  precondition  and  nil  mod  list. 

As  an  example,  consider  the  following  extended  ISPS  program  extest2.isp: 

sd, machine  US  := 

BEGIN 

^♦Registers** 

x<15:0>,  y<15:0> 

♦^Algorithm** 

exec  MAIN:= 

BEGIN 

!![EXTSD:  ()  (|.x|  ge  |.y|)  ()  (x,  y)  (#x  =  0(16)  or  #y  =  0(16))]  NEXT 
POINT  :  = 

if  X  eql  0  =>  y  ..  1  NEXT 
if  y  eql  0  =>  x  _  0 
END 
END 
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Let  us  mpisps  it  and  look  at  the  resulting  state  deltas. 


<  sdvs .  1  >  mpisps 

path  name[testproofs/gcd.isp]  :  testproofs/extest2Asp 
starting  mairk  point  []:  <CR> 
ending  mark  points  []  :  <CR> 
preconditions  []  :  <CR> 
unique  name  level [1]:  <CR> 

Parsing  ISPS  file  —  ‘'testproofs/extest2.isp" 


Markpoint-to-markpoint  translating  ISPS  file  —  "testproofs/extest2.isp" 


[sd  pre:  (|,x|  ge  | .y| ,  .sd.machine\upc  =  sd.machine\started) 
mod :  (y , X , sd  .machine\upc) 

post:  (#x  =  0(16)  or  #y  =  0(16) ,#sd.machine\upc  =  point)] 

[sd  pre:  (|.x|  It  j^yl,  .sd.machine\upc  =  sd.machine\started) 
mod :  ( sd . machine\upc) 
post:  (#sd.machine\upc  =  point)] 


[sd  pre:  (|.x|  =  0,  .sd.machine\upc  =  point) 
mod :  (y ,  sd . machine\upc) 

post:  (#sd.machine\upc  =  sd.machine\halted,#y  =  0(14)  @  1(2))] 

[sd  pre:  (|,x|  0  &  .sd.machinG\upc  =  point, |.y|  =  0) 

mod :  (x ,  sd . machine\upc) 

post:  (#sd.machine\upc  =  sd.machine\halted,#x  =  0(16))] 


[sd  pre:  (|.x|  0  &  .sd.machine\upc  =  point, |.y|  ■"=  0) 

mod:  (sd.machine\upc) 

post:  (#sd.machine\upc  =  sd,machine\halted)] 


<sdvs.2>  ppsd 

state  delta:  mpisps 

file  name:  extest2Asp 
starting  mark  point  []  :  <CR> 
ending  mark  points □:  <CR> 
preconditions  □  :  <  CR> 


covering  (  s  d .  machine ,  x ,  y ,  s  d .  machine  \up  c ) 
declare (x , type (bitstring , 16) ) 
declare (y , type (bitstring , 16) ) 

[sd  pre:  (|.x|  ge  |.y|,  .sd.machine\upc  =  sd.machine\started) 
mod :  (y , X , sd .machinG\upc) 
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post 
[sd  pre 
mod 
post 
[sd  pre 
mod 
post 
[sd  pre 
mod 
post 
[sd  pre 
mod 
post 


(#x  =  0(16)  or  #y  =  0(16)  ,#sd*machine\upc  =  point)] 

(|.x|  It  |*y|,  .sd.machine\upc  =  sd.machine\sta2rted) 
(sd.machine\upc) 

(#sd.machine\upc  =  point)] 

(|.x|  =  0, .sd.machine\upc  =  point) 

(y , sd .machine\upc) 

(#sd.machine\upc  =  sd.machine\halted,#y  =  0(14)  ®  1(2))] 
(|.x|  "=  0  &  .sd. machine \upc  =  point, j.y|  =  0) 

(x , sd .machine\upc) 

(#sd.machine\upc  =  sd.machine\halted,#x  =  0(16))] 

(|.x|  0  &  .sd. machine \upc  =  point, |.y|  0) 

(sd.machine\upc) 

(#sd.machine\upc  =  sd.machine\halted)] 


Let  extest. isp  be  the  above  without  POINT: 


sd. machine  US  := 

BEGIN 

♦♦Registers** 

x<16:0>,  y<15:0> 

♦♦Algorithm** 

exec  MAIN:= 

BEGIN 

!![EXTSD:  ()  (|.x|  ge  |.y|)  ()  (x,  y)  (#x  =  0(16)  or  #y  =  0(16))]  NEXT 

if  X  eql  0  =>  y  -  1  NEXT 
if  y  eql  0  =>  x  _  0 
END 
END 


<  sdvs .  1  >  mpisps 

path  name [testproofs/GXtest2. isp] : 

starting  mark  point [] : 
ending  mark  points  □  : 

preconditions  □  : 
unique  name  level [1]: 


testproofs/ extest,  isp 

<CR> 

<CR> 

<CR> 

<CR> 


Parsing  ISPS  file  —  "testproof s/extest. isp" 

Markpoint-to-markpoint  translating  ISPS  file  —  "testproof s/extest. isp" 
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[sd  pre:  (|.x|  ge  |.y| ,  .sd.machine\upc  =  sd.machine\started) 
mod:  (x,y,sd.machine\upc) 

post:  (exists  gv-y-11054  exists  gv-x-11053  ( ( (gv-x-11053  =  0(16)  or 

gv-y-11054  =  0(16))  & 
lh(gv-x-11053)  =  16  & 
lh(gv-y-11054)  =  16)  & 
(|gv-x-11053|  =  0 

— >  #sd.machine\upc 

=  sd.machine\halted  & 
#y  =  0(14)  ® 

1(2)  & 

#x  =  0(16))))] 


[sd  pre:  (|.x|  ge  |.yj,  .sd. machine \upc  =  sd.machine\started) 
mod:  (x,y,sd.machine\upc) 

post:  (exists  gv-y-11054  exists  gv-x-11053  (((gv-x-11053  =  0(16)  or 

gv-y-11054  =  0(16))  k 
Ih (gv-x-11053)  =  16  a 
Ih (gv-y-11054)  =  16)  a 
(|gv-x- 11053]  -=  0 

— >  #sd.machine\upc 

=  sd.machine\halted  k 
#x  =  0(16)  a 
#y  =  0(16))))] 


[sd  pre:  (|.x|  It  |.y|  k  .sd.machine\upc  =  sd.machine\started,|.x|  =  0) 
mod:  (y,sd.machine\upc) 

post:  (#sd.machine\upc  =  sd.machine\halted,#y  *  0(14)  @  1(2))] 


[sd  pre:  (|.x|  It  |.y|  a  .sd.machine\upc  =  sd.machine\started, 

l-xl  -=  0) 

mod:  (sd.machine\upc) 

post:  (#sd.machine\upc  =  sd.machine\halted)] 


<sdvs.2>  ppsd 

state  delta:  mpisps 

file  name: 
starting  mark  point  □  : 
ending  mark  points  □  : 
preconditions  □  : 


extest. isp 
<CR> 
<CR> 
<CR> 


covering ( sd .machine , x , y , sd . machine \upc) 
declare (x , type (bitstring , 16) ) 
declare (y, type (bitstring, 16)) 

[sd  pre:  (|.x|  ge  |  .y| , .sd.machine\upc  =  sd.machine\started) 
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mod :  (x ,  y ,  sd  .machine\upc) 

post:  (exists  gv-y-11054  exists  gv-x-llOSS  ( ( (gv-x~11053  =  0(16)  or 

gv-y-11054  =  0(16))  k 
lh(gv-x-11053)  =  16  & 
lh(gv-y-11054)  =  16)  t 
(|gv-X“11053|  =  0 

— >  #sd.machine\upc 

=  sd.machiiie\halted  k 
#y  =  0(14)  @ 

1(2)  k 
#x  =  0(16))))] 

[sd  pre:  (|.x|  ge  | .y| , . sd.machine\upc  =  sd.machine\started) 
mod :  (x , y ,  sd , machine\upc) 

post:  (exists  gv-y-11054  exists  gv-x-11053  (((gv-x-11053  =  0(16)  or 

gv-y-.ii054  =  0(16))  k 
lh(gv-x-11053)  =  16  & 
lh(gv-y-11054)  =  16)  k 
(|gv-x-11053|  "■=  0 

— >  #sd*machine\upc 

=  sd. machine \lial ted  k 
#x  =  0(16)  k 
#y  =  0(16))))] 

[sd  pre:  (|.x|  It  |,y[  k  .sd. machine \upc  =  sd.machine\started, | .x|  =  0) 
mod :  (y , sd .machine \upc) 

post:  (#sd.machine\upc  =  sd.machine\halted,#y  =  0(14)  §  1(2))] 

[sd  pre:  (|.x|  It  |.y|  k  .sd.machine\upc  =  sd.machine\started, 

l-xj  0) 

mod:  (sd.machine\upc) 

post:  (#sd.machine\upc  =  sd.machine\halted)] 

It  is  clear  that  the  following  state  delta  (call  it  extsdl)  is  true: 

[sd  pre:  (mpisps(extest2.isp) , .sd.machine\upc  =  sd.machine\started) 
mod:  (all) 

post:  (|#x|  le  |#y| ,#sd.machine\upc  =  sd.machine\halted)] 

and  the  following  proof  works: 

(prove  extsdl 
proof : 

cases  |.x|  ge  |.y| 
then  proof: 

(apply, 

cases  |.x|  =  0 
then  proof: 
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(apply, 
close) 
else  proof: 

(notice  |,y|  =  0, 
apply, 
close) ) 
else  proof: 

(apply, 

cases  |.x|  =  0 
then  proof: 

(apply, 
close) 
else  proof: 
cases  |.y|  =  0 
then  proof : 
else  proof: 

(apply, 
close) )) 

As  a  good  exercise,  try  to  input  the  above  state  delta  and  proof  in  the  editor,  using  the 
de&d  and  defproof  functions.  Remember  to  use  two  slashes  “\\”  in  the  editor  to  get  one 
real  slash. 

We  cannot  currently  prove  the  corresponding  state  delta  involving  extest. isp;  any  state 
deltas  resulting  from  mpisps  that  contain  existential  quantifiers  should  be  suspect.  The 
user  should  eliminate  these  quantifiers  by  adding  mark  points  in  suitable  places  in  the 
original  ISPS. 

Now  let  us  examine  the  state  delta  formed  by  making  .x  >  .y  an  assumption.  Call  the 
following  extended  ISPS  program  extestS.isp; 

sd. machine  US  := 

BEGIN 

♦♦Registers** 

x<15:0>,  y<15:0> 

♦♦Algorithm** 

exec  MAIN:= 

BEGIN 

!!  [ASSUME:  (|.x|  ge  |.y|)]  NEXT 
if  X  eql  0  =>  y  _  1  NEXT 
if  y  eql  0  ®>  x  _  0 
END 
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END 


<sdvs .  1>  mpisps 

path  name  [testproof s/extest  .isp]  :  testproofs/extestSAsp 
starting  mark  point []  :  <CR> 
ending  mark  points []:  <CR> 
preconditions  []  :  <  CR> 
unique  name  level [1]:  <CR> 

Parsing  ISPS  file  --  “testproofs/extestS.isp” 

Markpoint-to-markpoint  translating  ISPS  file  —  "testproof s/extest3 . isp" 

[sd  pre:  (|.x|  ge  |.y|  k  •sd.machine\upc  =  sd.machine\started, | .xl  =  0) 
mod :  (y ,  sd  .machine\upc) 

post:  (#sd.machine\upc  =  sd.machine\halted,#y  =  0(14)  ®  1(2))] 

[sd  pre:  (|.x|  ge  |,y|  k  .sd.machine\upc  =  sd*machine\staxted, 
i-xi  "=  0,|.y|  =  0) 
mod :  (x , sd . machine \upc) 

post:  (#sd.machine\upc  =  sd.machine\halted,#x  =  0(16))] 

[sd  pre:  (|.x|  ge  |,y|  k  .sd.machine\upc  =  sd.machine\started, 
i-xi  '=  0,|.y|  -=  0) 
mod:  (sd.machine\upc) 

post:  (#sd.machine\upc  =  sd.machine\halted)] 

<sdvs.2>  ppsd 

state  delta:  mpisps 

file  name:  extestSAsp 
starting  mark  point  []  :  <CR> 
ending  mark  points □:  <CR> 
preconditions  □  :  <  CR> 

CO  ver  ing  (sd .  machine ,  x ,  y ,  sd .  machine \upc  ) 
declare (x, type (bit string, 16)) 
declare (y , type (bitstring , 16 ) ) 

[sd  pre:  (|.x|  ge  |.y|  k  .sd,machine\upc  =  sd.machine\started,|.x|  =  0) 
mod :  (y , sd .machine\upc) 
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post : 
[sd  pre: 

mod: 
post: 
[sd  pre: 

mod: 
post : 


(#sd.machine\upc  =  sd.machine\halted,#y  =  0(14)  0  1(2))] 
(|,x|  ge  l.yl  &  .sd.machine\upc  =  sd.machine\started, 

|.x|  -=  O.I.yl  =  0) 

(x , sd .machine\upc) 

(#sd.machine\upc  =  sd.machine\halted,#x  =  0(16))] 

(|.x|  ge  |.y|  &  .sd.machine\upc  =  sd.machine\started, 
l.xl  '=  0,|.y|  -=  0) 

(sd.machine\upc) 

(#sd. machine \upc  =  sd.machine\halted)] 


7.3.5  External  and  auxiliary  variables 

External  and  auxiliary  variables  are  introduced  into  ISPS  descriptions  in  order  to  extend 
the  possibilities  of  expression,  not  just  to  facilitate  expression.  These  extended  possibilities 
are  reflected  in  the  translation  of  the  description  into  state  deltas  and  the  methods  of  proof 
needed  to  verify  claims  of  implementation  between  two  levels  of  description. 

Both  external  and  auxiliary  variables  satisfy  specification  needs  arising  from  real  problems. 
External  variables  have  their  intuitive  motivation  in  ‘‘input  variables,”  that  is,  variables 
whose  value  may  change  at  random,  upon  receipt  of  a  signal  from  some  external  source 
(external  with  respect  to  the  level  of  description  in  which  they  appear  designated  as  “ex¬ 
ternal”),  in  addition  to  any  changes  explicitly  required  by  that  description. 

The  idea  for  auxiliary  variables  is  found  in  the  concept  of  temporary  variables.  Generally 
speaking,  the  designation  “auxiliary”  is  used  for  any  variable  whose  contents  are  not  to 
be  relied  on,  or  even  considered,  by  any  “outside”  observer  (although  of  course  they  may 
be  essential  to  the  internal  workings  of  the  description).  When  viewed  from  the  outside, 
auxiliary  variables  are  not  considered  to  be  part  of  the  state  of  the  system. 


7.3.6  External  variables 

The  suffix  f/ext  may  be  appended  to  any  ISPS  declaration,  e.g. 

X<15:0>!!ext 

This  indicates  that  the  variable  may  change  value  during  any  state  change  explicitly  allowed 
by  the  ISPS  program.  There  is  no  need  to  change  the  syntax  or  semantics  of  state  deltas  to 
account  for  the  external  variables.  An  ISPS  program  with  ext  is  translated  into  state  deltas 
just  as  before,  with  the  addition  that  the  external  variables  appear  in  every  mod  list. 

In  the  case  of  markpoint-to-markpoint  translation,  care  must  be  taken,  for  example,  when 
there  is  a  case  split  on  an  external  variable  between  the  starting  and  ending  markpoint. 
However,  when  we  take  the  view  that  markpoint-to-markpoint  translation  equals  the  com¬ 
position  of  the  state  deltas  representing  the  translation  of  the  fine-grained  state  changes, 
the  problem  of  external  variables  is  just  a  subcase  of  the  general  problem  (remember  that 
the  only  special  handling  that  external  variables  need  is  to  be  placed  in  every  mod  list). 


215 


For  example,  consider  the  machine  (on  file  extest4. isp): 


sd. machine  US  := 

BEGIN 

♦^Registers** 

x<15:0> , 
y<15:0>!  !ext 

♦^Algorithm** 

exec  MAIN:= 

BEGIN 

if  X  eql  0  =>  y  _  1  NEXT 
if  y  eql  0  =>  x  _  0 
END 
END 

and  consider  the  state  delta 

<sdvs.l>  ppsd 

state  delta:  extsd 

[sd  pre:  (|.x|  =  l,isps(extest4.isp) , 

.sd.  machine \upc  =  sd.machine\st2Lrted) 
mod:  (all) 

post:  (#sd.machine\upc  =  sd.machine\halted, |#x|  =  0  or  |#x|  =  1)] 

The  following  proof  works: 

<sdvs.l>  pp 

object:  extproof 

proof  extproof: 

prove  extsd 
proof : 

(apply, 
cases  |.y|  =  0 
then  proof: 

(apply  3, 
close) 
else  proof: 
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(apply  2, 
close)) 

<sdvs.l>  interpret 

proof  name :  extproof 

open  —  [sd  pre:  (|.x|  =  l,isps(extest4.isp) , 

.sd.niachine\upc  =  sd.machine\started) 
mod:  (all) 

post:  (#sd.machine\upc  =  sd.machine\halted, 

|#x|  =  0  or  |#x|  =  1)] 

apply  —  [sd  pre:  ( .sd.machine\upc  =  sd.machine\started, 

.X  ==  0(2)  1(1)) 

mod :  ( sd . machine\up c) 
post:  ([tr  in  SD. MACHINE  IF;])] 

cases  —  |*y|  =  0 

open  —  [sd  pre:  (|.y|  =  0) 
comod:  (all) 
mod:  (all) 

post:  (#sd.machine\upc  =  sd.machine\halted, 

|#x|  =  0  or  |#x|  =  1)] 

apply  —  [sd  pre:  (.y  ==  0(2)  =  1(1)) 
comod:  (sd.machine\upc) 
mod:  ( s d . mach ine \up c ) 
post:  ([tr  in  SD. MACHINE  X _ ;])] 

apply  —  [sd  pre:  (true) 

comod:  (sd.machine\upc) 
mod :  (sd . machine\upc , x) 
post:  (#x  =  0(14)  0  0(2), 

[tr  OSD .MACHINE\halted] )] 

apply  —  [sd  pre:  (true) 

comod:  (sd.machine\upc) 
mod :  (sd , machine\upc) 

post:  (#sd.machine\upc  =  sd.machine\halted)] 

close  —  3  steps/applications 

open  —  [sd  pre:  ("'(|.y|  =  0)) 
comod:  (all) 


mod:  (all) 

post:  (#sd.machine\upc  =  sd.machine\halted, 
|#x|  =  0  or  |#x|  =  1)] 


apply  —  [sd  pre: 

comod : 

mod: 

post: 


(.y  ==  0(2)  1(1)) 

(sd.machine\upc) 

(sd.machine\upc) 

(Ctr  @SD. MACHINE \halted])] 


apply  “  [sd  pre: 

comod : 

mod: 

post: 


(true) 

(sd.machine\upc) 

( s d . machine \up  c ) 

(#sd.machine\upc  =  sd.machine\halted)] 


close  —  2  steps/applications 


join  —  [sd  pre:  (true) 
comod:  (all) 
mod:  (all) 

post:  (#sd.machine\upc  =  sd.machine\halted, 
|#x|  =  0  or  |#x(  =  1)] 

close  —  2  steps/applications 


7,3.7  Auxiliary  variables 

The  sufiix  Haux  may  be  appended  to  any  ISPS  declaration,  e.g. 

X<15:0>!!aux, 

The  difference  between  the  semantics  of  such  an  annotated  ISPS  program  and  the  semantics 
of  an  unannotated  one  becomes  apparent  only  when  one  considers  the  interaction  of  the 
programs  with  another  level.  Auxiliary  variables  in  target  or  host  cannot  play  a  role  in 
the  mapping.  Thus,  target  auxiliary  variables  are  not  mapped  from,  and  host  auxiliary 
variables  are  not  mapped  to.  Auxiliary  variables  do  not  appear  in  state  deltas  that  are  the 
result  of  mpisps. 

Consider  the  machine 

aux. machine  US  :  = 

BEGIN 

♦^Registers** 


x<15:0> , 
y<15:0>, 
tGmp<15:0> !  !aux 
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♦♦Algorithm** 


exec  MAIN:= 
BEGIN 

temp  _  X  next 
X  y  next 
y  _  temp 
END 
END 


<scivs.l>  ppsd 

state  delta:  mpisps 

file  name: 
starting  mark  point  □  : 
ending  mark  points [] : 
preconditions [] : 


auxtestisp 

<CR> 

<CR> 

<CR> 


covering  (  aux .  machine ,  x ,  y ,  aux .  machine \upc) 
declare (x , type (bit string , 16) ) 
declare (y , type (bitstring , 16) ) 

[sd  pre:  ( .aux.machine\upc  =  aiix.machine\started) 
mod:  (y,x,aux.machine\upc) 

post:  (#aux.machine\upc  =  aux. machine \halted,#y  =  .x,#x  =  .y)] 


Now  we  shall  construct  a  theorem  saying  that  auxtest  implements  itself. 

<  sdvs .  1  >  implementation 

theorem  name :  aux.thm 
upper-level  spec:  mpisps 

file  name:  auxtest  Asp 
starting  mark  point []:  <CR> 
ending  mark  points □:  <CR> 
pr econdit  ions  []  :  <  CR> 

lower-level  spec:  isps 

file  name :  auxtest  isp 
mappings:  mapping(.x^  ,x),  mapping(.y,  .y)j 

mapping  (,  aux,machine\  upc, .  aux.  machine\  upc ) 
constants  []  :  <  CR> 

invariants  □  :  <  CR> 

Implementation  theorem  ‘aux.thm’  created. 

<sdvs.l>  ppsd 

state  delta:  aux.thm 
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[sd  pre:  (isps(auxtest . isp) , 

aux.thm. places  =  union (x,y,aux.machine\upc, 
aux.machine\aux) , 

aux.thm. mapped. places  =  union(x,y ,aux.machine\upc) , 
aux . thm . unmapped . places 

=  dif f ( aux . thm .places , aux . thm .mapped . places ) ) 
post:  (alldisjoint (x,y ,aux,machine\upc) , 

[sd  pre:  (true) 
comod:  (all) 

post:  (forall  al  (Ih(al)  =  16  — >  Ih(al)  =  16), 

forall  al  (Ih(al)  =  16  — >  Ih(al)  =  16))], 

[sd  pre:  ( .aux. machine \upc  “  aux.machine\stari:ed) 

mod :  (y ,  X ,  aux .  machine\upc ,  aux .  thm .  unmapped  .places  ) 
post:  (#aux.machine\upc  =  aux .machine\halted,#y  =  .x, 

#x  =  .y)])] 

<sdvs.l>  prove 

state  delta[]  :  aux.thm 
proof  □  :  <  CR> 

open  —  [sd  pre:  (isps(auxtest.isp), 
aux. thm. places 

=  imion(x,y,aux.machine\upc,aux.machine\aux) , 
aux. thm. mapped. places  =  union(x,y ,aux.machine\upc)  , 
aux. thm. unmapped. places 

=  dif f (aux . thm. places , aux .thm. mapped. places) ) 
post:  (alldisjoint (x,y, aux. machine\upc) , 

[sd  pre:  (true) 
comod:  (all) 

post:  (forall  al  (Ih(al)  =  16  — >  Ih(al)  =  16), 

forall  al  (Ih(al)  =  16  Ih(al)  =  16))], 
[sd  pre:  ( .aux.machine\upc  =  aux.machine\started) 

mod :  (y , X ,  aux  .machine\upc ,  aux , thm . unmapped . places) 
post:  (#aux.machine\upc  =  aux .machine\halted, 

#y  =  .x,#x  =  .y)])] 

Complete  the  proof. 

<sdvs .  1 . 1>  whynotgoal 
simplify?  [no]  :  <  CR> 

g(2)  [sd  pre:  (true) 
comod:  (all) 

post:  (forall  al  (Ih(al)  =  16  — >  Ih(al)  =  16), 
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forall  al  (Ih(al)  =  16  — >  Ih(al)  =  16))] 
g(3)  [sd  pre:  ( .aux.machine\upc  =  aux.niachine\started) 

mod :  (y , X , aux . machine\upc , aux . thm . unmapped , places ) 
post:  (#aux.machine\upc  =  aux.machine\halted,#y  =  .x,#x  =  .y)] 

<sdvs.lol>  prove 
state  delta []  :  g 
number:  2 
proof  □  :  <  CR> 

open  —  [sd  pre:  (true) 
comod:  (all) 

post:  (forall  al  (Ih(al)  =  16  — >  Ih(al)  =  16), 
forall  al  (Ih(al)  =  16  — >  Ih(al)  =  16))] 

close  —  0  steps/applications 

Complete  the  proof, 

<sdvs.l.2>  prove 
state  delta  □  :  g 
number:  3 
proof  []  :  <  CR> 

open  —  [sd  pre:  ( .aux,machine\upc  =  aux.machine\started) 

mod :  (y , X , aux . machine\upc , aux . thm . unmapped . places ) 
post:  (#aux.machine\upc  =  aux.machine\halted,#y  =  ,x, 

#x  =  .y)] 


Complete  the  proof. 


<sdvs.l.2.1>  * 


apply  —  [sd  pre:  ( .aux. machine \upc  =  aux.machine\started) 
mod :  (aux .machine\upc , temp) 
post:  (#temp  =  .x, 

[tr  in  AUX. MACHINE  X _ ;  Y _ ;])] 


apply  —  [sd  pre: 

comod: 

mod: 
post : 


(true) 

(  aux .  machine  \up  c  ) 

(  aux .  machine  \up  c ,  x ) 

(#X  =  .y, 

[tr  in  AUX. MACHINE  Y _ ;])] 


apply  —  [sd  pre:  (true) 
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comod:  (aux.machine\upc) 
mod:  (aux.machine\upc,y) 
post:  (#y  =  .temp, 

[tr  eAUX.MACHINE\halted])] 


apply  —  [sd  pre: 

comod : 

mod: 

post: 


(true) 

(aux .machine\upc) 

(aux . machine \upc) 

(#aux.machine\upc  =  aiuc.machine\halted)] 


close  —  4  steps/applications 


close  —  2  steps/applications 


7.3.8  The  new  ISPS  translator 

The  new  translator  can  be  accessed  by  the  command  ispstr.  The  associated  predicate  is 
newisps.  We  present  an  example  comparing  the  new  with  the  old  translator  on  the  ISPS 
program  incl.isp: 

!  incl.ISP 

incl  US  :=  ( 

♦♦Registers** 

x<7:0> 

♦♦Processes** 

incl  MAIN  :=  BEGIN 

REPEAT  BEGIN 
loopl:=  X  _  X  +  1 

END 

END 

) 


First,  using  the  new  translator: 

<sdvs.l>  pp 

ob  j  ect :  newincO.sd 
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[sd  pre:  (newisps(incl*isp)) 
post :  (newisps (incl , isp) )] 

We  would  expect  this  to  be  true  and  trivially  provable,  and  it  is  with  the  new  translator. 

<sdvs.l>  setflag 

flag  variable :  autoclose 
on  or  off  [off]  :  off 

setflag  autoclose  —  off 

<sdvs.2>  prove 

state  delta □  :  newincO.sd 
proof  []  :  <  CR> 

open  —  [sd  pre:  (newisps (incl, isp)) 
post :  (newisps (incl , isp) )] 

Complete  the  proof, 

<sdvs,2,l>  goals 

g ( 1)  covering ( incl , incl\upc , x) 
g(2)  declare (x, type (bitstring, 8)) 
g(3)  [sd  pre:  (,incl\upc  =  incl\started) 
comod:  (all) 
mod:  (incl\upc) 

post:  ([ispstr  t(incl)  incl  ,,,])] 

<  sdvs ,  2 , 1  >  whynotgoal 
simplify?  [no]  :  <  CR> 

The  goal  is  TRUE,  Type  ^ close", 

<sdvs,2.1>  close 

close  —  0  steps/applications 

<sdvs.3>  setflag 

flag  variable :  autoclose 
on  or  off [on] :  on 

setflag  autoclose  —  on 

Using  the  old  translator  things  are  not  so  trivial: 
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<sdvs,l>  pp 

ob  j  ect :  newincl.sd 

[sd  pre:  (isps(incl.isp)) 
post:  (isps(incl.isp))] 

<sdvs.l>  prove 

state  delta n  :  newincl.sd 
proof  []  :  <  CR> 

open  —  [sd  pre:  (isps(incl.isp)) 
post:  (isps(incl.isp))] 

Complete  the  proof. 

<  sdvs .  1 . 1  >  whynotgoal 
simplify?  [no]  :  <  CR> 

g(3)  [tr  ®INC1\STARTED  in  INCl  REPEAT;] 

g(4)  [tr  QLOOPl  in  INCl  X _ ;  REPEAT;] 

In  fact,  it  appears  that  this  is  unprovable  in  SDVS  13. 
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ada(progfile.ada)  104 

adatr  104 

applicable  21 

apply  with  no  argument  21 

apply  with  usable  state  delta  number  29 

apply  with  state  delta  name  30 

apply  a  number  of  times  32 

apply  with  modlist  violation  48 

applydecls  165 

array  type  70 

length  70 
origin  70 
range  70 
slice  70 

bitstring  type  70 

operations  70 
boolean  type  70 
cases  38,  41 
close  22 

createadalemma  115 

createlemma  92 

createsd  17 

declare  69 

delete  25 

deleteaxioms  83 

displaympsds  flag  203 

dump-proof  23,  35 

dump-proof  for  a  partial  proof  88 

exists  73 

flags  19 

foraJl  73 

go  119 

goals  29 

help  with  axioms  80 

help  with  function  and  predicate  symbols 
82 

help  with  types  69 
induct  55,  57,  64 
init  18,  26 

init  with  proof  name  parameter  24 
instantiate  73 
instantiate  for  a  goal  77 


instantiate  for  a  usable  quantified  for¬ 
mula  75 
integer  type  70 
interpret  24,  26 
invokeadalemma  121 
ispstr  222 
isps  207 
letsd  150 
let  56 
meases  38 
mpisps  202,  207 
newisps  222 
nsd  21 
pc  106 
pop  31 
ppsd  162 
pp  18,  24 
pp  proof  33 
pp  axioms  82 

pp  lemma  and  lemmaproof  96 
pp  a  translated  Ada  program  128 
ppeq  28 
ppl  39 
prove  19 

prove  with  a  goal  parameter  49 
proveadalemma  116 
provebyaixiom  80,  97 
provebyinstantiation  73,  75 
pro veby lemma  97 
provelemma  94 
ps  31 

quantification  73 
quit  35 

quit  with  “unproved  lemma”  notification 
93 

range  56 
read  26 
read  axioms  81 
rewritebyaxiom  80,  88 
rewritebyetxiom  with  no  axiom  parame¬ 
ter  95 

rewritebylemma  92 
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run-test-proofs  15 
setfiag  19 
simp  20 
until  32,  117 
usable  20 

vhdl-processes  166,  168 
vhdl-signals  166 
vhdl-time  166 
vhdltr  161 

whynotapply  40,  48,  63 
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whynotgoal  with  simplify  87 
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